SECURITY RISK ASSESSMENT 
AND MANAGEMENT 


Security Risk Assessment and Management: A Professional Practice Guide for Protecting Buildings and Infrastructures 
B. E. Biringer, R. V. Matalucci and S. L. O’Connor © 2007 John Wiley & Sons, Inc. ISBN: 978-0-471-79352-6 


SECURITY RISK 
ASSESSMENT 
AND 
MANAGEMENT: 


A Professional Practice Guide 
for Protecting Buildings 
and Infrastructures 


By 


Betty E. Biringer 
Rudolph V. Matalucci 
Sharon L. O'Connor 


1807 | 
*/ @WILEY|; 
92007 | 


r 
BICENTENNIAL 






































John Wiley & Sons, Inc. 


This book is printed on acid-free paper. 
Copyright © 2007 by John Wiley & Sons, Inc. All rights reserved. 


Published by John Wiley & Sons, Inc., Hoboken, New Jersey. 
Published simultaneously in Canada. 


No part of this publication may be reproduced, stored in a retrieval system, or transmitted 
in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or 
otherwise, except as permitted under Section 107 or 108 of the 1976 United States 
Copyright Act, without either the prior written permission of the Publisher, or 
authorization through payment of the appropriate per-copy fee to the Copyright Clearance 
Center, 222 Rosewood Drive, Danvers, MA 01928, (978) 750-8400, fax (978) 646-8600, or on 
the Web at www.copyright.com. Requests to the Publisher for permission should be 
addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, 
Hoboken, NJ 070380, (201) 748-6011, fax (201) 748-6008, or online at 
www.wiley.com/go/permission. 


Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their 
best efforts in preparing this book, they make no representations or warranties with 
respect to the accuracy or completeness of the contents of this book and specifically 
disclaim any implied warranties of merchantability or fitness for a particular purpose. No 
warranty may be created or extended by sales representatives or written sales materials. 
The advice and strategies contained herein may not be suitable for your situation. You 
should consult with a professional where appropriate. Neither the publisher nor author 
shall be liable for any loss of profit or any other commercial damages, including but not 
limited to special, incidental, consequential, or other damages. 


For general information on our other products and services or for technical support, please 
contact our Customer Care Department within the United States at (800) 762-2974, 
outside the United States at (817) 572-3993 or fax (317) 572-4002. 


Wiley also publishes its books in a variety of electronic formats. Some content that appears 
in print may not be available in electronic formats. For more information about Wiley 
products, visit our Web site at www.wiley.com. 


Library of Congress Cataloging-in-Publication Data: 


Biringer, Betty E., 1952- 

Security risk assessment and management: a professional practice 
guide for protecting buildings and infrastructures / by Betty E. 
Biringer, Rudolph V. Matalucci, Sharon L. O’Connor. 

p. cm. 

Includes bibliographical references and index. 

ISBN-13: 978-0-471-79352-6 (cloth) 

ISBN-10: 0-471-79352-3 (cloth) 

1. Buildings--Security measures. 2. Risk assessment. 
I. Matalucci, Rudolph V. II. O’Connor, Sharon L. III. Title. 
TH9705.B75 2007 
658.4'7--dc22 

2006023980 

Printed in the United States of America. 


10987654321 


... to the volunteer men and women of the 
Interagency Forum for Infrastructure Protection (IFIP) 
who gave of their vision, commitment, and 
determination to protect and secure our critical 
national infrastructure, long before the events of 
September 11, 2001. 


Figures 
Tables 
Preface 


Contents 


Acknowledgments 


Part | 


1 Security Risk Assessment and Management Process 


1.1 
1.2 
1.8 


1.4 
1.6 
1.6 
1.7 


Introduction 

Security Risk Equation 

Security Risk Assessment and Management 
Process 

1.3.1 Facility Characterization 

1.3.2 Threat Analysis 

1.3.3 Consequence Analysis 

1.3.4 System Effectiveness Assessment 
1.3.5 Risk Estimation 

1.3.6 Comparison of Estimated Risk Levels 
1.3.7 Risk Reduction Strategies 
Presentation to Management 

Risk Management Decisions 

Information Protection 

Process Summary 


vii 


XV 
хіх 
xxi 

XXV 


10 
11 
13 
16 
17 
17 
18 
18 
19 
19 


viii 


1.8 
1.9 


CONTENTS 


References 
Exercises 


Screening Analysis 


2.1 
2.2 
2.3 
2.4 
2.5 


Introduction 

Screening Analysis Methods 
Summary 

References 

Exercises 


Facility Characterization 


31 Introduction 
3.2 Undesired Events 
3.3 Facility Description 
3.3.1 Physical Details 
3.3.2 Cyber-Information System 
3.3.3 Facility Operations 
3.3.4 Security Protection Systems 
3.3.5 Workforce Description 
3.3.6 Restrictions, Requirements, 
Limitations 
3.4 Critical Assets 
341 Generic Fault Tree 
3.4.2 Identifying Critical Assets 
3.5 Protection Objectives 
3.6 Summary 
3.7 References 
3.8 Exercises 
Threat Analysis 
41 Introduction 
4.2 Sources of Threat Information 


4.2.1 Local and State Sources 
4.2.2 National Sources 


20 
21 


23 
23 
23 
30 
30 
30 


31 
31 
32 
33 
33 
34 
34 
35 
38 


39 
40 
40 
42 
44 
45 
46 
46 


49 
49 
50 
51 
52 


4.8 
44 
4.5 


4.6 
4Л 
4.8 


Contents 


Adversary Spectrum 
Adversary Capability 
Threat Potential for Attack 
451 Outsider Threat 
4.5.2 Insider Threat 
Summary 

References 

Exercises 


Consequence Analysis 


5.1 
5.2 
5.3 
5.4 
5.5 
5.6 


Introduction 

Reference Table of Consequences 
Consequence Values for Undesired Events 
Summary 

References 

Exercises 


Asset Prioritization 


6.1 
6.2 
6.3 
6.4 
6.5 


Introduction 
Prioritization Matrix 
Summary 
References 

Exercises 


System Effectiveness 


ok 
7.2 


7.3 
7.4 
7.5 


Introduction 

Protection System Effectiveness 

7.21 Adversary Strategies 

7.2.2 Physical Protection System 
Effectiveness 

7.2.8 Cyber-Protection System Effectiveness 

Summary 

References 

Exercises 


53 
56 
58 
62 
69 
71 
71 
72 


75 
75 
75 
Ш 
81 
81 
81 


83 
83 
84 
85 
85 
86 


87 
87 
88 
88 


90 
106 
116 
117 
118 


СОМТЕМТ5 


8 Estimating Security Risk 


10 


8.1 
8.2 


8.3 
8.4 
8.5 


Introduction 

Estimating Security Risk 
8.2.1 Conditional Risk 
8.2.2 Relative Risk 
Summary 

References 

Exercises 


Risk Reduction Strategies 


9.1 
9.2 
9.8 


9.4 


9.5 
9.6 
97 
9.8 


Introduction 

Strategies for Reducing Likelihood of Attack 
Strategies for Increasing Protection System 
Effectiveness 

9.3.1 Physical Protection System Upgrades 
9.3.2 Cyber-Protection System Upgrades 
9.3.3 Protection System Upgrade Package(s) 
Strategies for Mitigating Consequences 

9.4.1 Construction Hardening 

9.4.2 Redundancy 

9.4.3 Optimized Recovery Strategies 

9.4.4 Emergency Planning 

Combinations of Reduction Strategies 
Summary 

References 

Exercises 


Evaluating Impacts 


10.1 
10.2 
10.3 
10.4 
10.5 
10.6 


Risk Level 

Costs 

Operations/Schedules 
Public Opinion 

Other Site-Specific Concerns 
Review Threat Analysis 


121 
121 
121 
122 
122 
125 
125 
125 


127 
127 
127 


129 
129 
129 
129 
182 
188 
141 
148 
145 
148 
149 
150 
151 


153 
158 
157 
159 
160 
160 
161 


11 


12 


10.7 
10.8 
10.9 


Contents 


Summary 
References 
Exercises 


Risk Management Decisions 


11.1 
11.2 


11.8 
11.4 
11.5 
11.6 
11.7 


Introduction 

Risk Assessment Results 

11.2.1 Executive Summary 

11.2.2 Introduction 

11.2.3 Threat Analysis 

11.2.4 Consequence Analysis 

11.2.5 System Effectiveness Assessment 

11.2.6 Risk Estimation 

11.2.7 Risk Reduction Strategies and 
Packages 

11.2.8 Impact Analysis 

11.2.9 Supporting Documentation 

11.2.10 Report Overview 

Risk Management Decisions 

Establish Design Threat 

Summary 

References 

Exercises 


Summary 


121. 
12.2 
12.8 
12.4 
12.5 
12.6 


12.7 


Facility Characterization 

Threat Analysis 

Consequence Analysis 

System Effectiveness Assessment 

Risk Estimation 

Comparison of Estimated Risk Level to 
Threshold 

Risk Reduction Strategies 


xi 


162 
162 
163 


165 
165 
166 
167 
167 
168 
168 
169 
169 


170 
170 
171 
171 
171 
173 
174 
174 
174 


175 
177 
178 
180 
180 
182 


188 
188 


xii 
12.8 
12.9 
12.10 
Part II 


CONTENTS 


Analysis of Impacts Imposed by Risk Reduction 
Upgrade Packages 

Presentation to Management 

Risk Management Decisions 


13 Demonstration of the Security Risk Assessment and 
Management Process 


13.1 
13.2 


13.3 
13.4 
13.5 
13.6 
13.7 
13.8 
13.9 
13.10 


13.11 


13.12 


Introduction 

Security Risk Assessment and Management 

Process 

Screening Analysis 

Facility Characterization 

Operations 

General Description 

Threat 

Consequences 

Prioritization Analysis 

Protection System Effectiveness 

13.10.1 Physical Protection System 
Effectiveness 

13.10.2 Analysis of Blast Effects 

Estimation of Risk 

13.11.1 Risk Summary 

Risk Reduction Strategies 

13.12.1 Physical Protection System Upgrades 

13.12.2 Result of Physical Protection System 
Upgrades 

13.12.3 Cyber-Protection System Upgrades 

13.12.4 Results of Cyber-Protection System 
Upgrades 


184 
185 
185 


187 


189 
189 


190 
192 
195 
196 
198 
214 
228 
238 
243 


245 
264 
269 
269 
272 
273 


276 
280 


281 


Contents 


13.12.5 Consequence Mitigation Upgrades 
13.12.6 Summary 
13.13 Impact Analysis 
13.13.1 Impacts of Upgrade Package 
13.13.2 Impacts of Consequence Mitigation 
Package 
13.14 Presentation to Management 
13.14.1 Threat Description 
13.14.2 Security Risk Estimates for the 
Baseline System 
13.14.3 Risk Reduction Packages 
13.14.4 Impact Analysis for Risk Reduction 
Package 
13.15 Risk Management Decisions 


Appendix A: Generic Fault Tree for Buildings 
Appendix B: Adversary Sequence Diagrams 

Appendix C: Physical System Effectiveness Worksheets 
Appendix D: Insider Threat 

Acronyms 

Glossary 


Index 


xiii 


281 
284 
285 
285 


288 
288 
289 


289 
290 


294 
295 


297 
303 
309 
329 
345 
347 


353 


Figure 1.1 
Figure 1.2 
Figure 1.3 


Figure 1.4 


Figure 2.1 
Figure 3.1 
Figure 3.2 


Figure 3.3 
Figure 4.1 
Figure 6.1 


Figure 6.2 
Figure 7.1 
Figure 7.2 
Figure 7.3 


Figure 7.4 
Figure 7.5 
Figure 7.6 
Figure 7.7 


Figures 


Decisions for Security Risk Managers. 


Parameters Used to Estimate Security Risk. 


Security Risk Assessment and Management 
Process. 

Estimating Threat Potential (Likelihood of 
Attack) for Attack. 

Security Screening Analysis Method. 
Elements of Facility Characterization. 
Tree Top for Generic Fault Tree for 
Building. 

Modification of Generic Tree for Example. 
Threat Analysis Process. 

Prioritization Matrix Example for 
Undesired Events/Assets at a Facility. 
Prioritization Matrix Example for Sites. 
Possible Adversary Paths. 

Basic Areas at the Example Building. 
Adjacent Physical Areas for the Example 
Building. 

Path Elements between Adjacent Areas. 
ASD Concept. 

Interrelationships of PPS Functions. 
Example Facility with Complex Protection 
System. 


XV 


11 
25 
32 


42 
44 
50 


84 
85 
91 
92 


92 
98 
98 
98 


101 


xvi 


Figure 7.8 


Figure 7.9 
Figure 7.10 


Figure 7.11 
Figure 9.1 
Figure 9.2 


Figure 9.3 


Figure 10.1 


Figure 10.2 


Figure 10.3 


Figure 10.4 


Figure 10.5 


Figure 10.6 
Figure 12.1 


Figure 13.1 


Figure 13.2 


FIGURES 


ASD for Example Facility with Complex 
Protection System. 

Example Simple Cyber-System. 
Cyber-Path-Diagram for Example Simple 
Cyber-System. 

Example Cyber-Protection System 
Effectiveness Assessment. 

Basis of Risk Reduction Strategies. 
Generic Table of Explosive Blast Effects. 
Summary of Potential Security Risk 
Reduction Strategies. 

Example Summary Form for Comparing 
Estimated Protection System Effectiveness 
(PE) Values for Upgrade Package to 
Baseline Protection System Effectiveness 
Values. 

Example Summary Form for Comparing 
Estimated Consequence (C) Values for 
Upgrade Package to Baseline Consequence 
Values. 

Example Risk Calculation Worksheet for 
Risk Reduction Packages. 

Example System Risk Comparison 
Summary Form. 

Displaying Relative Impacts of Multiple 
Risk Reduction Packages. 

Revised Threat Description Form. 
Security Risk Assessment and Management 
Process. 

Security Risk Assessment and Management 
Process. 

Example Building. 


101 
108 


109 


116 


128 


140 


150 


155 


156 


157 


158 


159 
161 


176 


191 
197 


Figure 13.3 


Figure 13.4 
Figure 13.5 
Figure 13.6 


Figure 13.7 


Figure 13.8 

Figure 13.9 

Figure 13.10 
Figure 13.11 
Figure 13.12 
Figure 13.13 
Figure 13.14 
Figure 13.15 


Figure 13.16 


Figure 13.17 
Figure 13.18 
Figure 13.19 
Figure 13.20 


Figure B.1 
Figure B.2 
Figure B.3 


Figure B.4 
Figure B.5 
Figure B.6 
Figure B.7 


Figures 


Example Building Floor Plan and Site 
Layout. 

Top Level of Generic Building Fault Tree. 
Disrupt Normal Work Operations Branch. 
Compromise Structural Integrity of 
Building Branch. 

Compromise Health and Safety of 
Occupants Branch. 

Disable/Misuse Physical Utilities Branch. 
Disable/Misuse Emergency Systems Branch. 
Disable/Misuse Information System Branch. 
ASD for Vault L —Ground Attack. 

ASD for Courtyard —Ground Attack. 

ASD for Control Center. 

Building Information System Architecture. 
Cyber-Path-Diagram for Critical 
Cyber-Assets in Business IT System or 
Production Process Control System. 
Physical Protection System Effectiveness for 
Upgraded Package vs. Baseline System. 
Scenario Analysis for Armed Robbery. 
Scenario Analysis for Attacks in Courtyard. 
Scenario Analysis for Control Center Attack. 
Expected Negative Impacts of Upgrade 
Package. 

Possible Adversary Paths. 

Basic Areas at the Example Building. 
Adjacent Physical Areas for the Example 
Building. 

Path Elements between Adjacent Areas. 
ASD Concept. 

Sample Facility with Jump. 

ASD for Sample Facility with Jump. 


xvii 


200 
209 
209 


210 


210 
211 
211 
212 
248 
250 
252 
260 


261 


276 
278 
278 
279 


285 
304 
305 


305 
305 
306 
307 
307 


xviii 

Figure C.1 
Figure C.2 
Figure C.3 
Figure C.4 


Figure C.5 
Figure C.6 


Figure C.7 


Figure C.8 
Figure C.9 


Figure C.10 
Figure C.11 
Figure C.12 
Figure D.1 


Figure D.2 


Figure D.3 
Figure D.4 


FIGURES 


Estimating Pedestrian Gate Detection 
Effectiveness. 

Estimating Pedestrian Gate Delay Time. 
Estimating Property Area Traversal Time. 
Estimating Pedestrian Door Detection 
Effectiveness. 

Estimating Pedestrian Door Delay Time. 
Estimating Building Interior Traversal 
Time. 

Estimating Control Room Door Detection 
Effectiveness. 

Estimating Control Room Door Delay Time. 
Estimating Control Room Area Traversal 
Time. 

Estimating Task Detection Effectiveness. 
Estimating Task Delay Time. 

Estimating Physical Protection System 
Effectiveness. 

Process to Develop an Integrated Protection 
System to Mitigate the Insider Threat. 
Basic Logic Tree for Example Undesired 
Event. 

Development of Branch of Tree. 

Example of Integration of Protection 
Function Features. 


319 
320 
320 


321 
322 


322 


323 
324 


325 


326 


327 


328 


330 


332 
333 


342 


Table 1.1 
Table 2.1 
Table 4.1 
Table 4.2 
Table 4.3 
Table 4.4 
Table 4.5 


Table 5.1 
Table 5.2 


Table 5.3 
Table 7.1 


Table 7.2 


Table 7.3 


Table 8.1 
Table 9.1 


Table 9.2 


Table 13.1 


Tables 


Consequence Definitions 

Example Screening Analysis 

Hypothetical Adversarial Threat Summary 
Factors for Estimating Threat Potential 
Assessing Adversary Capability 
History/Intent Assessment 

Relative Attractiveness of the Facility/Asset 
Assessment 

DoD Military Standard 882D 

Hypothetical Example of Reference Table of 
Consequences 

Consequence Value Estimation Example 
Detection and Delay Features for Path 
Elements for Example 

Summary Assessment Results for Example 
Scenario 

Relative Cyber-Protection System 
Effectiveness 

Estimating Relative Security Risk 
Potential Physical Protection System 
Upgrade Features 

Potential Cyber-Protection System Upgrade 
Features 

Consequence Evaluation for Each Building 


xix 


12 
26 
59 
63 
64 
66 


68 
Ш 


78 
49 


103 


105 


115 
128 


180 


181 
198 


хх 


Table 13.2 
Table 13.3 
Table 13.4 
Table 13.5 
Table 13.6 
Table 13.7 
Table 13.8 
Table 13.9 
Table 13.10 


Table 13.11 


Table 13.12 


Table 13.13 


Table 13.14 


Table 13.15 
Table 13.16 


Table 13.17 
Table 13.18 


Table 13.19 
Table 13.20 


Table C.1 
Table C.2 
Table C.3 
Table D.1 


TABLES 


Critical Assets for Building 

Threat Definition for Building 

Likelihood of Attack for the Terrorist Threat 
Likelihood of Attack for the Criminal Threat 
Likelihood of Attack for the Extremist Threat 
Likelihood of Attack for the Gang Threat 
Insider Threat Severity (TS) 

Consequence Definitions 

Estimation of Consequence Level for 
Undesired Events 

Likelihood of Attack vs. Consequence for the 
Terrorist Threat 

Likelihood of Attack vs. Consequence for the 
Criminal Threat 

Likelihood of Attack vs. Consequence for the 
Extremist Threat 

Likelihood of Attack vs. Consequence for the 
Gang Threat 

Prioritized Undesired Events for Analysis 
Summary of Physical Protection System 
Effectiveness for Baseline System 
Cyber-system Protection Features 
Cyber-Protection-System Effectiveness 
Assessments 

Security Risk Assessment Levels 
Comparison of Baseline Security Risk and 
Security Risk Reduction Afforded by the 
Upgrade Package 

Effectiveness Factors 

Worksheet for Area Traversal Time 
Response Effectiveness 

Example Summary of Insider Capability by 
Position for a Given Undesired Event 


213 
218 
219 
221 
223 
225 
227 
229 


230 


239 


240 


241 


242 
244 


256 
262 


263 
270 


286 
310 
311 
312 


335 


Preface 


Our purpose is to provide a professional best practice guidebook 
for engineers, architects, security specialists, law enforcement and 
emergency management officials, and managers who are respon- 
sible for secure and safe workplace environments for occupants 
and owners of buildings and supporting infrastructures. To protect 
against malevolent acts against buildings and their occupants, a 
security risk assessment and management process must be useful 
for: (1) identifying a regional and site-specific likely and credible 
threat spectrum, and subsequent development of a design basis 
threat, (2) evaluating consequences including loss of life and prop- 
erty, economic impact, and loss of any symbolic value and public 
confidence, and (3) assessing the ineffectiveness of the physical secu- 
rity and cyber-security systems against the threat and identifying 
any site-specific vulnerabilities in the security system. 

Our intent is to provide a systematic and robust security risk 
management approach about “how to” perform a complete risk 
assessment that assists the project owner and manager in deciding 
“why to” either accept the calculated risk or reduce the risk to a 
more acceptable level. The procedure for a viable risk reduction 
strategy is then addressed through the application of performance- 
based alternative security upgrades or consequence mitigation 
measures. 

The expanding national needs for adequate protection of the 
public and real property against malevolent acts of terrorism, the 


xxi 


xxii PREFACE 


availability of a variety of alternative security measures, and the 
demonstrated performance of these protective measures has cre- 
ated a paradigm shift in how currently prescriptive-based building 
codes might be limited where they are applied to the construction 
industry. Clear definition of basic security standards, especially for 
nongovernmental and commercial facilities, are currently minimal 
or nonexisting under malevolent threat conditions, and protection 
is usually dependent on a hypothetical and suspected threat and 
postulated protective system vulnerabilities. 

The need for a validated means to determine these new secu- 
rity requirements becomes more apparent following the events 
of September 11, 2001. A rigorous application of a security risk 
management approach seemed appropriate and advisable in the 
national interest. This security risk management approach has 
been applied to some federal facilities and can effectively be used to 
justify any requirement for a level of protection. This approach can 
also be used to demonstrate the performance of security upgrades 
or consequence mitigation measures and to ensure cost-effective 
return on capital investments. A viable risk management process, 
where used appropriately, also acts against any form of false secu- 
rity that might result from a poorly conceived and inadequately 
justified and engineered upgrade and mitigation plan. 

This guide book adapts the robust security tools and tech- 
niques developed by the Department of Energy’s lead national 
security laboratories for use across our homeland. We have been 
motivated, therefore, to apply our lessons learned for the appli- 
cation of a systematic process followed in this text that shifts 
from the widely applied compliance-based security upgrade proce- 
dure to a futuristic applied performance-based system evaluation 
using tested risk methodologies. No longer do we consider that 
applicable standard security codes alone are sufficient for use in 
implementation projects. Our hope for the future is that the use of 


Preface xxiii 


a risk-management-based approach will dominate security evalua- 
tions and analyses required before any perceived or recommended 
corrective action is undertaken. This “best practice” guide book 
will hopefully provide the necessary guidance to professionals and 
further assist with the management of security risks through a 
step-by-step procedure that achieves risk reduction and adequate 
security performance. 


Acknowledgments 


We wish to thank the technical reviewers, especially Ivan Wad- 
doups and Greg Wyss, for their numerous helpful comments and 
suggestions that immeasurably improved the content and descrip- 
tion of the process. We are grateful to Elizabeth Affeldt and P. 
Rebecca Baca for their prompt and careful editing of the text 
and most especially to Jackie Ripple of Tech Reps, a division of 
Ktech Corporation, for her diligence and timeliness in prepar- 
ing the text and figures for publication. We appreciate Tommy 
Woodall and Carla Ulibarri at Sandia National Laboratories for 
their management support of this work. 

We are grateful for the visionary guidance and support given 
by all the early contributors to the risk assessment methodology 
process development. The prototype infrastructure security risk 
assessment methodology was developed by Sandia National Lab- 
oratories for the Interagency Forum for Infrastructure Protection 
(IFIP), a consortium of federal agencies. Included as charter mem- 
bers of the IFIP are the US Army Corps of Engineers, the Bureau of 
Reclamation, the Tennessee Valley Authority, the Federal Bureau 
of Investigation, the Bonneville Power Administration, the West- 
ern Area Power Administration, and Sandia National Laboratories. 
Without the financial and intellectual contributions of these mem- 
ber agencies, the rigorous, replicable analytical process described 
in this book would not exist today. 


XXV 


xxvi ACKNOWLEDGMENTS 


William K. Paulus, formerly of Sandia National Laboratories, 
must be recognized for his technical contributions throughout 
the risk assessment methodology process development. His con- 
tributions to the application of fault trees, risk evaluations and 
calculations, consequence table development, and threat assess- 
ment procedures are invaluable. 

We gratefully acknowledge Dennis Miyoshi, director of the 
Security Systems and Technology Center, Sandia National Labo- 
ratories, for his persistent support, vision, and financial support, 
which made the preparation of this manuscript both technically 
rewarding and possible. Without his guidance and encouragement, 
this project would not have been successful. 

The submitted manuscript has been authored by a contrac- 
tor of the U.S. government under Contract DE-AC04-94AL85000. 
Accordingly, the U.S. government retains a nonexclusive, royalty- 
free license to publish or reproduce the published form of this 
contribution, or allow others to do so, for U.S. government pur- 
poses. 


Part | 


Security Risk Assessment and Management: A Professional Practice Guide for Protecting Buildings and Infrastructures 
B. E. Biringer, R. V. Matalucci and S. L. O’Connor © 2007 John Wiley & Sons, Inc. ISBN: 978-0-471-79352-6 


Chapter 1 


Security Risk Assessment and 
Management Process 


1.1 INTRODUCTION 


Since September 11, 2001, decisions for security risk managers 
have become even more difficult. The terrorist threat potential, 
that is, the likelihood of an attack, motivations, and capabilities, 
has dramatically increased. The need to add security features 
has placed a heavy burden on the already strained budgets of 
government and commercial enterprises. Some companies have 
had to decide whether or not they can maintain their business and 
provide the required security to adequately protect their facilities 
and the lives of their employees. Security risk managers need a 
mechanism to help them analyze the information that they do 
have to make the most logical business decisions to protect their 
facilities against the very real potential of malevolent acts. 

First, managers must define what is essential to the mission 
of the facility: What are the undesired security events that would 
interrupt the mission, the consequences associated with the events, 
the targets that must be protected to prevent the security events, 
and the liabilities incurred? Concurrent with determining what is 
important to the mission is identifying what to protect against, 
that is, defining the adversarial threat spectrum to understand 


Security Risk Assessment and Management: A Professional Practice Guide for Protecting Buildings and Infrastructures 
B. E. Biringer, R. V. Matalucci and S. L. O’Connor © 2007 John Wiley & Sons, Inc. ISBN: 978-0-471-79352-6 


3 


4 РАКТ ОМЕ 


who might attempt the undesired event(s). The adversarial threat 
spectrum could include international or domestic terrorists, reli- 
gious or political extremists, criminals, the mentally deranged, or 
the insider employee. Next, a system effectiveness analysis or vul- 
nerability analysis is completed to determine how well the current 
security system protects against the adversarial threat spectrum 
for the undesired events. Once the security system’s effectiveness 
is known, the security risk can be estimated and the manager must 
assess whether or not the risk level is acceptable. If the risk level is 
deemed to be too high, the manager must consider the impacts on 
operations and costs to reduce risk by improving the security sys- 
tem or reducing the consequences. Balancing the resultant impacts 
and risk reduction can present quite a challenge, but is of utmost 
importance. (See Figure 1.1.) 

This chapter will outline a validated risk assessment and man- 
agement process that supports managers in determining how much 
security is enough for their facility, business, or industry. Each fol- 
lowing chapter in this book will support one or more steps of the 
Security Risk Assessment and Management Process. The process 
can be and has been adapted for various applications, including 
many elements of our nation’s critical infrastructure. 


* “Undesired *Criminal *Extremist 
Consequences Events 








*Targets How Well are *Terrorist 
you protected? 


*Liabilities *Insider 





*ls risk acceptable? 


“Reduce Consequences * н . н 
*Operational trade-off 


“Improve Protection *Cost options 


Figure 1.1 Decisions for Security Risk Managers. 


Security Risk Assessment and Management Process 5 


The risk assessment and management process was developed at 
Sandia National Laboratories (SNL) in the 1990s for the Intera- 
gency Forum for Infrastructure Protection (IFIP). The IFIP was 
formed when various related government agencies with common 
security concerns came together to address security protection 
against the terrorist threat, as called for by Presidential Decision 
Directive #63, signed by former President Bill Clinton. Proven 
physical protection tools and concepts resulting from thirty years 
of testing and development at SNL were integrated into a single 
methodology for assessing infrastructure and life-threatening risk. 
The process was originally applied to the protection of federal 
dams, high-voltage electric power transmission systems, and other 
critical national infrastructures. The tool was completed, tested, 
and published a month before 9/11, and has since been used to 
estimate relative security risk level and to assess the protection 
effectiveness and design security and consequence mitigation sys- 
tems of hundreds of government and commercial facilities against 
malevolent acts. 

However, security risk is difficult to quantify. The traditional 
risk equation can be used to begin the process. Traditionally, 
security risk is a function of the likelihood of adversary attack, 
the likelihood that the adversary attack is successful, and the 
consequences associated with the loss to the attack. The relative 
risk estimation process described here is qualitative in nature and 
allows decision makers to rank events in relative order, to enable 
them to make risk management decisions. Figure 1.2 describes the 
three parameters used to estimate security risk. 

The conclusions drawn and the information used in the appli- 
cation of the risk assessment process produce sensitive company 
information that must be protected. The level of protection of 
the information and the means of protection must be deter- 
mined, planned, and implemented before the analysis begins. 
The three factors of the security risk equation each encompass 


6 РАКТ ОМЕ 


Consequence 
of Adversary 
Success 

















System 
Ineffectiveness 


Likelihood 
of Attack 


















Security 
Risk 






Figure 1.2 Parameters Used to Estimate 
Security Risk. 


information that, if compromised, could provide serious advantage 
to the adversary. 


1.2 SECURITY RISK EQUATION 


Security risk is estimated by the following traditional risk equation: 
R= Pa «(1—PR)*C 
where: 


R = risk associated with adversary attack 
Pa = likelihood of attack 


Pg = probability that the security 
system is effective against the attack 


(1 — Pg) = system ineffectiveness 


C = consequence of the loss from the attack 


Security risk is difficult to quantify, because the basic assumptions 
for calculating mathematical probability cannot be met; that is, 
the variables are neither independent nor random. Estimating the 
likelihood that an adversary will decide to attack a given facility is 


Security Risk Assessment and Management Process 7 


difficult, at best, because predicting human behavior can never be 
a random event in the mathematical sense. Humans continually 
plan, practice, learn, and modify their behaviors. For these reasons, 
quite often analysts will estimate conditional risk for security 
applications. Conditional risk presumes that the initiating event 
occurs (for security applications, this means that the adversary 
does decide to attack and conducts the attack against the specific 
facility). 

This assumption can focus the risk assessment on the likelihood 
of adversary success and the associated consequences resulting 
from the attack. Sometimes building owners and operators need 
more concrete resolution in risk estimates. They may have several 
buildings that are vulnerable to the threat, and the consequence 
of loss is high, but they have credible evidence that makes them 
believe that one building is more or less likely to be attacked than 
another, and they feel they must prioritize their security spending, 
especially if funds are limited. 

Various risk assessment and risk management methods have 
been developed. While each method has its own unique name, 
focus, and methodology, all attempt to answer three fundamental 
questions: 


1. What are the bad things that can happen to my facility? 

2. How likely are the bad things? 

3. How do they affect my facility —its mission, occupants, 
surroundings, and the larger environment? 


This text will provide a process to estimate relative security risk 
based on qualitative estimates for three risk parameters: 


e Likelihood of attack — Qualitative estimate for likelihood 
of adversary attack, Pa. Note that threat potential for attack, 
likelihood of attack, and Pa mean the same thing in this text. 

e Consequence of successful adversary attack — Qualita- 
tive estimate of consequence, C. 


8 РАКТ ОМЕ 


• System ineffectiveness (1 — Pg) — Qualitative estimate of 
adversary success or the complement of system effective- 
ness, Pr. 


1.3. SECURITY RISK ASSESSMENT AND 
MANAGEMENT PROCESS 


An analytic process is used to assess security risk. Figure 1.3 
describes the order and sequence of the basic steps of the process. 
The process begins with an optional screening analysis for corpora- 
tions to prioritize their facilities, followed by characterization of the 
subject facility, including identification of the undesired events and 
the respective critical assets. Guidance for defining an adversarial 
threat is included, as well as for using the definition of the threat to 
estimate the threat potential for attack or likelihood of adversary 
attack at a specific facility. Relative values of consequence are 
estimated. Another optional step allows the owner to prioritize the 







































































У 
Optional Screening Facility Characterization 
Analysis 
У 
Threat Analysis Pa 
> 
У 
Consequence Analysis ||| C - 
Optional 
—Ӧј Prioritization 
У Analysis 
System Effectiveness КРЕ 
Assessment 
У 
Risk Estimation Я = Рд *(1-Рр)*С 






























Presentation to 
Management 





Greater Than 
Threshold? 





Impact Analysis > 




















Risk Management 
Decision 




















Risk Reduction Strategies 











Figure 1.3 Security Risk Assessment and Management Process. 


Security Risk Assessment and Management Process 9 


assets at a given facility. Methods are also included for estimat- 
ing the effectiveness of the security system against the adversary 
attack. Finally, relative risk is estimated. In the event that the 
value of risk is deemed to be above a predetermined threshold (too 
High), the methodology addresses a process for identifying and 
evaluating risk reduction strategies in order to reduce risk. 


1.3.1. Facility Characterization 


An initial step in security system analysis is to characterize the 
facility to be analyzed. Facility characterization requires a thor- 
ough understanding of the mission and operating conditions of the 
building, as well as the security concerns. The security concerns 
should describe the undesired events — the specific events that, 
ideally, the protection system should prevent. An extension of 
describing the undesired events is identification of the company’s 
critical assets that an adversary would most likely be attempt- 
ing to harm or obtain. Sometimes the assets to be protected are 
obvious by inspection; in complex operations, an analytical logic 
approach may be required to ensure that all of the critical assets 
are identified and protected. 

Facility characterization includes a complete physical descrip- 
tion, not only of the physical layout of the building but also of 
the construction details, locations of site boundaries, building loca- 
tions, floor plans, and access points as well as policy and procedures 
and physical and cyber-protection features and their locations. Any 
known vulnerabilities or weaknesses in protection are noted. 

The facility characterization concludes with a statement of the 
protection objectives for the facility. Usually, the protection objec- 
tives are a list of undesired events or some subset of the undesired 
events and a listing of the respective critical asset(s) to be pro- 
tected. For example, a protection objective of a building might be 
to ensure health and safety for building occupants or to prevent 
the theft of a particular critical asset. 


10 РАКТ ОМЕ 


1.3.2 Threat Analysis 


The first parameter of the risk analysis process is the threat 
potential, particularly, the likelihood of adversary attack. 

Threat — Before a vulnerability analysis can be completed and 
before threat potential for attack or likelihood of attack can be esti- 
mated, a description of the threat is required. This description 
includes the types of possible adversaries, tactics, and capa- 
bilities (e.g., number in the group, weapons, equipment, and 
transportation mode). The threat definition is often reduced to 
several paragraphs that describe the type and number of adver- 
saries, their modus operandi, the type of tools and weapons they 
would use, and the type of events or acts they are willing to 
commit. 

The types of organizations that may be contacted during the 
development of a threat definition include local, state, and federal 
law enforcement and related intelligence agencies. Local author- 
ities should be able to provide reports on the types of criminal 
activities occurring and analytical projections of future activities. 
A review of literature may also be conducted to include past inci- 
dent reports associated with the site, local periodicals, professional 
journals, and other related material. 

Threat Potential for Attack (Likelihood of Attack) — After 
the adversarial threat spectrum has been described, the infor- 
mation can be used together with statistics of past events and 
site-specific perceptions to categorize threats in terms of likelihood 
that each type of threat would attempt an undesired event. Ide- 
ally, the model for security risk assessments could be similar to the 
model for safety risk assessments; the likelihood of an initiating 
(abnormal) event is estimated and combined with the likelihood of 
consequences caused by the initiating event. Safety studies have 
yielded historical data and statistics that can help predict the like- 
lihood of an abnormal event and the system response to the event. 
However, estimating the likelihood that an adversary group will 


Security Risk Assessment and Management Process 11 


























Adversary Adversary Relative 
Capability History/Intent Attractiveness 
e Access to region e Historic interest к 
e Material resources e Historic attacks И 
e Technical skills e Current interest in : 
e Planning/organizational site * Desired level of 
skills e Current surveillance Cone dues 
e Financial resources e Documented threats * Ideology 











• Ease of attack 


Figure 1.4 Estimating Threat Potential (Likelihood of Attack) for 
Attack. 





attack a specific asset will always represent a challenge because of 
the human element. 

However, a qualitative relative threat potential parameter can 
be used to estimate the level of the unquantifiable variable. Esti- 
mating the threat potential follows a complete threat analysis, and 
the parameter is estimated per undesired event and per adversary 
group. The basis of the parameter estimation is: 


e Characteristics of the adversary group relative to the asset 
to be protected 
e Relative attractiveness of the asset to the adversary group 


Figure 1.4 includes information that can be used to estimate the 
likelihood that a given adversary group would decide to attack a 
specific facility. 


1.3.3. Consequence Analysis 


The second parameter of security risk is consequence. Consequence 
analysis can be completed after the undesired events and asso- 
ciated critical assets have been identified as a part of facility 
characterization. The next analysis step is to estimate conse- 
quences associated with the loss of specific critical asset(s) for each 
undesired event. Consequence definitions are site- or industry- 
specific. Organizations describe consequence in categories or terms 


12 


РАКТ ОМЕ 


Table 1.1 Consequence Definitions 


Consequence Category Consequence 
Level 


Could result in death, permanent total dis- 
ability, loss exceeding $1M, or irreversible 
severe environmental damage that violates law 
or regulation. 


Could result in permanent partial disability, 
injuries, or occupational illness that may result 
in hospitalization of at least three personnel, 
loss exceeding $200K but less than $1M, or 
reversible environmental damage causing a 


violation of law or regulation. 


Could result in injury or occupational illness 
resulting in one or more lost workday(s), loss 
exceeding $10K but less than $200K, or mit- 
igatible environmental damage without viola- 
tion of law or regulation, where restoration 
activities can be accomplished. 


Could result in injury or illness not resulting 
in a lost workday, loss exceeding $2K but less 
than $10K, or minimal environmental damage 
not violating law or regulation. 





Catastrophic 


Negligible 


that are meaningful to them; some may measure consequence in 


terms of lost income or downtime, others in casualties or illness, 


and others in terms of loss of pubic confidence or reputation. The 


consequence categories, such as dollars, deaths, injuries, downtime 


duration, and negative publicity, that characterize consequence 
must be determined first. Further, definitions must be established 
for qualitative levels for each consequence category. Table 1.1 pro- 


vides an example of a Consequence Definition Table that is similar 


to one used by the Department of Defense in accordance with 


Military Standard 882D. The primary goal of consequence analysis 


Security Risk Assessment and Management Process 13 


is to estimate the relative consequence value associated with each 
undesired event due to loss or compromise of a critical asset. 


1.3.4 System Effectiveness Assessment 


The third parameter in assessing security risk, system ineffective- 
ness (1 — Pg), can be derived from a security system effectiveness 
assessment. Security system ineffectiveness (adversary success) 
and security system effectiveness (Pg) are complementary func- 
tions. If security system effectiveness is High, then security system 
ineffectiveness (adversary success) is judged to be Low. The risk 
assessment process will evaluate security system effectiveness in 
order to estimate system ineffectiveness (adversary success). A 
defensible measure of the effectiveness of the security system to 
prevent the undesired events for the given threat spectrum is an 
important factor in the security risk equation. 

The process focuses on security system effectiveness assessment. 
A valuable product of assessing system effectiveness is the identi- 
fication of specific vulnerabilities of the protection system. If the 
security system effectiveness is judged to be Low, specific weak- 
nesses and the associated deficient protection elements causing 
the Low level are site-specific system vulnerabilities. Knowledge 
of site-specific vulnerabilities is valuable for planning system 
upgrades to reduce risk and for contingency planning to know 
where to place reinforcement protection during times of elevated 
threat conditions. 

For most applications, a security system is made up of physical 
protection features and cyber-protection features. Some undesired 
events can be accomplished by a physical attack on the facility, 
whereas others can be accomplished by a cyber-attack on the 
system. A total security system should address both physical and 
cyber-attacks, as appropriate. A complete system effectiveness 
assessment will include a physical protection analysis and cyber- 
protection analysis. 


14 РАКТ ОМЕ 


1.3.4.1 Physical Protection System Effectiveness 


An effective physical protection system (PPS) must be able to 
detect the adversary early enough and delay the adversary long 
enough for the security response force to arrive and neutralize 
the adversary before the mission is accomplished. In particular, 
an effective PPS provides effective detection, delay, and response. 
These physical system functions (detection, delay, and response) 
must be integrated to ensure that the adversarial threat is neu- 
tralized before the mission is accomplished. 

DETECTION, the first required sequential function of a PPS, is the 
discovery of adversary covert or overt actions and includes sensing 
actions. In order to discover an adversary action, the following 
events must occur: 


e Sensor (equipment or personnel) reacts to an abnormal 
occurrence and initiates an alarm 

e Information from the sensor and assessment subsystems is 
reported and displayed 

e Someone assesses the information and determines the alarm 
to be valid or invalid 


De ay is the second required function of a PPS. Any feature 
that impedes adversary progress can be considered to be delay. 
Delay can be accomplished by barriers (e.g., doors, vaults, locks) 
or by distances that cause a time delay to traverse. The security 
protective force can be considered an element of delay if personnel 
are in fixed and well-protected positions. 

RESPONSE, the third requirement of a PPS, comprises actions 
taken by the security police force (law enforcement officers) to 
prevent adversarial success. Response consists of interruption of 
and neutralization of the adversary action. 


1.3.4.2 Cyber-Protection System Effectiveness 


Much like an effective PPS that demonstrates high performance 
for the three functions of detection, delay, response, and the 


Security Risk Assessment and Management Process 15 


integration of these functions, an effective cyber-protection system 
demonstrates high performance for three basic cyber-security func- 
tions and their integration. These functions are used to ensure the 
properties of confidentiality, integrity, and availability of data. 
Confidentiality requires that information not be made available to 
unauthorized individuals, entities, or processes. Integrity requires 
that information not be altered or destroyed in an unauthorized 
manner. Availability requires that information be accessible and 
usable on demand by an authorized entity. The three cyber- 
protection functions are: 

e Authentication 

e Authorization 

e Audit 
The authentication, authorization, and audit must be performed 
at a high level and must be integrated. The authentication and 
authorization strategies both provide data to the audit capability 
where it is analyzed for evidence of malicious activity. 

Authentication — Authentication establishes the validity of a 
claimed identity. User authentication is the capability of associat- 
ing a computer identity with a human being. This may be done 
using mechanisms that fall into three categories: (1) something 
the individual knows, (2) something the individual has, and/or 
(3) something the individual is. Once a user is authenticated, he or 
she is generally issued credentials that are associated with com- 
puter processes acting in the user’s behalf. User authentication is 
critical to the overall security of a system or network, because if 
one user obtains (maliciously or otherwise) another user’s creden- 
tials, then he or she can access any information that the user is 
permitted to access. 

Authorization — Authorization determines what actions an en- 
tity is allowed to perform with respect to a given information object 
(e.g., files, database records, web pages). Authorization for access to 
systems and applications must be granted by management. Autho- 
rization for access to information on systems must be controlled so 


16 РАКТ ОМЕ 


that only authorized users can access specified information objects, 
based upon their authenticated identity. 

Audit — Audit records the actions or attempted actions per- 
formed by an entity within a computer system or network. The 
cyber-intrusion detection system supports the audit function. The 
major components of a successful cyber-intrusion detection system 
are the continual review of traffic data, scanners that detect any 
unusual occurrences, including any suspect ports or modems, virus 
protection, and monitors for access control. 

Access control monitoring ensures a complementary relationship 
between firewalls and intrusion detection systems. Firewalls block 
undesired network traffic and permit desired traffic. The cyber- 
intrusion detection system inspects both blocked and permitted 
traffic for suspect patterns. 


1.3.4.3 Security System Performance Assessment 


Analysis and evaluation of protection systems begins with a review 
and thorough understanding of the protection objectives and secu- 
rity environment. Analysis can be performed by simply checking 
for the required features of an effective protection system, such as 
intrusion detection, entry control, access delay, response commu- 
nications, and a response force for a physical system and features 
for authentication, authorization, and audit for a cyber-protection 
system. However, a system based on required features usually does 
not lead to a high-performance system because those features are 
often not integrated to ensure adequate levels of protection for the 
identified threat spectrum. Sophisticated analysis and evaluation 
techniques can be used to estimate the minimum performance lev- 
els achieved by a security system. The most reliable effectiveness 
measure is performance as a total integrated system. 


1.3.5 Risk Estimation 


Security risk is a function of the likelihood of attack, consequence of 
successful attack, and security system ineffectiveness. To estimate 


Security Risk Assessment and Management Process 17 


relative security risk, the qualitative estimates for likelihood of 
attack, system ineffectiveness, and consequence are logically com- 
bined. A simple method, based on expert judgment, for combining 
the three risk parameters to estimate security risk will be dis- 
cussed. The security risk estimates are relative, not absolute, but 
they can be used to make risk management decisions. A relative 
risk level is valuable to: 
e Compare risk levels for a spectrum of malevolent threats 
e Compare risk levels for a spectrum of facilities, industries, 
or organizations 
e Compare the cost-effectiveness and other impacts of poten- 
tial improvements 


1.3.6 Comparison of Estimated Risk Levels 


Estimated risk levels are compared to a predetermined risk thresh- 
old to decide whether further analysis is required. The threshold is 
determined by the analysis team and the security risk managers. 


1.3.7. Risk Reduction Strategies 


If the estimated baseline risk level for the threat spectrum is 
judged to be above the established threshold (too High), risk reduc- 
tion strategies for the system may be considered. Risk reduction 
strategies focus on reducing the levels of the parameters of the 
security risk equation: likelihood of attack, system ineffectiveness, 
and consequence. In practice, risk reduction is made most success- 
ful by improving protection system effectiveness and mitigating 
consequences. 

Risk Reduction Upgrades — Security system planners must 
address how to reduce security risk. Planners might consider 
adding features to increase physical or cyber-protection system 
effectiveness and/or to reduce or mitigate consequences. Site- 
specific vulnerabilities identified in the system effectiveness anal- 
ysis provide guidance for adding/modifying features. Upgrades to 


18 РАКТ ОМЕ 


the system might include retrofits, additional safeguard features, 
or additional consequence mitigation features. Consequence anal- 
ysis and system effectiveness analysis should then be repeated for 
the upgraded system in order to estimate a risk level associated 
with the upgraded system. If the estimated risk for the upgraded 
system is below the threshold, the upgrade is completed. If the risk 
is still above the threshold, the upgrade process should be repeated 
until the risk level is judged to be below the threshold. 

Impact Analysis — Once the system upgrade has been deter- 
mined, it is important to evaluate the impacts of the risk reduction 
on the mission of the facility and the cost. If system upgrades put 
a heavy burden on normal operation, a trade-off would have to be 
considered between risk and operations. Budget can be the driver 
in implementing security upgrades. A trade-off between risk and 
total cost may have to be considered. The assessed level of risk and 
the upgrade impact on cost, mission, and schedule are valuable 
information to security risk managers. 


1.4 PRESENTATION TO MANAGEMENT 


The final step in the risk assessment process is the preparation of a 
presentation package for the risk managers and stakeholders. The 
presentation generally includes the threat description, the security 
risk estimates for the baseline system, descriptions of any risk 
reduction packages, and the results of the impact analysis for the 
risk reduction package(s). By using comparison to the baseline risk 
levels, managers are able to understand what the upgrade package 
is buying them in risk reduction as well as other potential impacts. 
The total presentation package provides invaluable information 
for risk management decision makers. 


1.5 RISK MANAGEMENT DECISIONS 


Building owners, stakeholders, and risk managers have the risk 
assessment information package to help them make difficult 


Security Risk Assessment and Management Process 19 


security decisions. Most importantly, risk managers must decide 
on the design basis threat or the threat level to which the security 
system will be designed. 


1.6 INFORMATION PROTECTION 


The risk assessment process provides valuable, detailed informa- 
tion for risk managers; likewise, the information could provide 
valuable information to any potential adversaries. Because the 
process begins with basic facts and assumptions and each step 
builds on previous step(s), allowing the information to get into the 
wrong hands could provide a roadmap for the malevolent threat. 
Each step of the process provides security sensitive information: 


1. Facility characterization identifies the security con- 
cerns, critical asset(s), and their locations. 

2. Threat analysis ultimately defines the level of protection 
to which the security system is designed. If the perceived 
highest threat level is the terrorist, the security system 
will be designed to be much stronger than if the perceived 
threat is the vandal. 

3. Consequence analysis prioritizes the assets in terms of 
criticality or value. 

4. System effectiveness assessment provides possible att- 
ack scenarios and documented system weaknesses or vul- 
nerabilities. 


For these reasons, once the process is applied to a specific facility, 
the entire analysis package must be protected. Most sites will have 
to develop the infrastructure for protecting, storing, and sharing 
the risk assessment package. 


1.7 PROCESS SUMMARY 


This chapter provides an overview of an analytical security risk 
assessment and management process. Application of the risk 


20 РАКТ ОМЕ 


assessment process supports managers in determining how much 
security is enough for their facility, business, or industry. The 
required steps of the process are: 


1. Characterize the facility. 

2. Analyze the malevolent threat and estimate the threat 
potential for attack of the facility. 

3. Estimate consequences associated with the attack. 

4. Assess the effectiveness of the physical and cyber-protec- 
tion systems. 

5. Estimate relative security risk as a function of likelihood of 
attack, security system ineffectiveness, and consequence. 

6. Compare the security risk level to a predetermined thre- 
shold. 

7. Suggest risk reduction strategies if the estimated risk level 
is above threshold, followed by re-evaluating consequences 
and protection system effectiveness to measure and ensure 
relative risk reduction. 

8. Analyze impacts imposed by risk reduction packages. 

9. Present completed assessment to management. 

10. Make risk management decisions. 


The process begins with basic facts and assumptions, and each 
step builds on previous step(s). The final results are defendable 
because they are traceable back to the original facts and assump- 
tions. Results are repeatable, and updates to any step are easily 
addressed without starting all over. The process can be adapted 
to assess the security risk for most entities. The security of dams, 
energy infrastructures, chemical facilities, buildings, and commu- 
nities has been enhanced by the application of the process. 


1.8 REFERENCES 


1. Biringer, Betty, Risk Assessment Method for Electric Power Trans- 
mission, presented at Carnahan Conference on Security Technol- 
ogy, sponsored by IEEE, Albuquerque, NM, October 2004. 


Security Risk Assessment and Management Process 21 


. MIL-STD-882D, Department of Defense Standard Practice for Sys- 
tem Safety, February 10, 2000. 

. North American Electric Reliability Council, Urgent Action Cyber 
Security Standard, Standard CIP-002-1, Draft, May 9, 2005, 
http://www.nerc.com/~filez/standards/C yber-Security-Permanent. 
html. 

. Sandia National Laboratories Security Risk Assessment Method- 
ologies, http://www.sandia.gov/ram. 

. Wyss, Gregory, D., “Risk Assessment and Risk Management for 
Energy Applications,” in Energy 2000: State of the Art, ed. Peter 
Catania, Balaban Publishers, L’Aguila, Italy, pp. 163-184, 2000. 


1.9 EXERCISES 


. Of what value is a security risk assessment to security risk 
managers? Justify your answer. 
. List and describe the parameters used to estimate security risk. 
a. Are these parameters mathematically independent? Why or 
why not? 
b. Can these parameters be quantified? Why or why not? 
c. Must these parameters be estimated in any given order? Why 
or why not? 
. Discuss estimating the threat potential for attack: 
a. What are the limitations, if any? 
b. What are important considerations? 
. Discuss estimating security system effectiveness. 
a. Why is it important to consider both physical protection system 
effectiveness and cyber-protection system effectiveness? 
b. Discuss the relationship between security system effectiveness 
and adversary success. 
. Discuss estimating the consequences of adversary attack. 
a. What are some possible parameters to define or describe con- 
sequence? 
b. What are consequence mitigation features? Define and provide 
examples. 
. What choices do managers have if security risk level is deemed to 
be too High? Describe ways to reduce security risk. 


22 


10. 


РАКТ ОМЕ 


. Why is it important to consider all impacts when considering 


security system upgrades? 


. How are safety and security risk assessments alike? How are they 


different? 


. How might the results of a security risk assessment be used 


for security contingency planning? Security contingency planning 
describes procedures or features that are implemented during 
elevated threat conditions for events that are otherwise very Low 
likelihood but High consequence. 

How might potential adversaries use either input information or 
results of the security risk assessment for a given site? 


Сћартег 2 


Screening Analysis 


2.1. INTRODUCTION 


Screening analysis is an optional step before an investment is 
made in a complete security risk assessment. Complete security 
risk assessments represent a commitment of time and resources. 
Sometimes owners of multiple facilities have limited time, staff, 
and/or dollars to invest in security, so they first want to know which 
of their facilities warrant a full risk assessment. For those that 
require an assessment, it might be helpful to know which (based on 
security risk) should be done first, if there are multiple facilities. If 
resources only allow one or a limited number of analyses to be com- 
pleted, which facility should be analyzed? A screening analysis will 
help analysts and decision makers prioritize facilities, if necessary. 


2.2 SCREENING ANALYSIS METHODS 


If a security screening analysis is judged to be necessary, the com- 
plexity and depth of the screening model depends on the security 
concerns, the number of facilities to be screened, and the vari- 
ation among the facilities. If the list of security concerns is not 
consistent among the sites, if there are numerous facilities to be 
screened (hundreds to thousands), or if the sites do not vary much, 
analysis methods must be more complex to provide the needed 


Security Risk Assessment and Management: A Professional Practice Guide for Protecting Buildings and Infrastructures 
B. E. Biringer, R. V. Matalucci and S. L. O’Connor © 2007 John Wiley & Sons, Inc. ISBN: 978-0-471-79352-6 


23 


24 РАКТ ОМЕ 


differentiation for screening. Usually, for security screening, a 
single parameter is used, and the consequence impact associated 
with the loss is the preferred parameter. 

Before the screening analysis can begin, a standard must be 
established for addressing consequence level. (Later in Chapter 5, 
“Consequence Analysis,” a Reference Table of Consequences will 
be developed that is much more detailed and specific than the 
standard suggested here for screening. However, if the analysis 
team is willing to invest the effort upfront, the Reference Table of 
Consequences could be developed first and used for the screening 
analysis.) The standard should be developed by the analysis team 
with approval by management. The list of criteria for measuring 
or describing consequence level should be specified as well as 
definitions for qualitative levels of High, Medium, and Low for 
each criterion. Common criteria used for comparing consequence 
level include number of deaths, economic loss, loss of production, 
and/or downtime. Further, comparisons should be made to ensure 
that the levels for the criteria are consistent. For example, the 
High estimate should represent the same level of consequences for 
all criteria; the Medium estimate should represent the same level 
of consequences for all criteria; the Low estimate should represent 
the same level of consequences for all criteria. 

Figure 2.1 describes the steps of a security screening method 
based on consequence. 

First, facilities must be reviewed. For each facility, a consistent 
set of consequence categories must be estimated for each security 
concern or undesired event, if it should occur at the facility. Unde- 
sired events are those security concerns or malevolent acts that the 
security system is trying to prevent. Examples might be the theft of 
high-value items, the destruction of a critical asset that interrupts 
the mission of the facility, or harm to the occupants of the build- 
ing. Judgments for levels must be kept as consistent as possible 
and should be described as High, Medium, or Low consequence 





Summarize Facility 


Screening Analysis 











Group Facilities 


m| Rank Facilities 




















Specify Facility and 
List Security 
Concerns/ 
Undesired Events 


Group l: One or 
More 
High 
levels 











+ 








Estimate 
Qualitative 
Consequence 
Level for each 
Security Concern/ 
Undesired Event: 


Group II: One or 
More 
Medium 
levels 














Group III: All Are 
Low 





e Facility w/ Most High levels 
e [Facilities in between] 
e Facility w/ Least High levels 


e [Facilities in between] 


e Facilities with All Low levels 


25 


e Facility w/ Most Medium levels 


e Facility w/ least Medium levels 








High, Medium, Low levels 








Count Number of 
High, Medium, Low 
Levels for each 
Facility 











Figure 2.1 Security Screening Analysis Method. 


impact. The maximum impact for each undesired event should be 
recorded. Then each facility can be summarized with a tabulation 
of the number of High, Medium, or Low levels estimated for each 
undesired event. The list of facilities can then be divided by group- 
ing all facilities with one or more High levels in Group I, those 
facilities with one or more Medium levels in Group II, and finally, 
those facilities with only Low levels in Group III. Further, the 
facilities can be ranked by organizing each group in terms of the 
facility with the most undesired events at the given level to the 
facility with the least number at the given level. 

Consider this example: Alpha Corporation owns and operates 
seven multistory office buildings in several large cities in the 
Southwest. Various private and government organizations lease 
space in the buildings. The security management team at Alpha 
has decided that they want to improve the security level of their 
buildings. The consequence impacts for the selected undesired 
events and the consequence factors that are common to all buildings 
are estimated and are summarized in the Table 2.1. 


26 РАКТ ОМЕ 


Table 2.1 Example Screening Analysis 


Building Undesired Aircraft | Vehicle| Theft | Briefcase 
Event Impact | Bomb of Bomb/ 

into Valuable | Suicide 

= Assets | Bomber 


Loss of building 
structure 
(economic) 


Loss of operations | M 
(economic) 
Loss of lives 
Environmental 
impact 
Maximum 
impact: 


Loss of building 
structure 

(economic) 

Loss of operations | M 
(economic) 

Loss of lives 


TF 
7 





Environmental 
impact 
Maximum 
impact: 


Loss of building |H 


structure 
(economic) 


Loss of operations | M 
(economic) 





Screening Analysis 27 


Table 2.1 (continued) 
Building Undesired Aircraft Briefcase 
Impact Bomb/ 
into Suicide 
ildi Bomber 


Loss of building 
structure 
(economic) 


Loss of 
operations 
(economic) 


Environmental 
impact 


Loss of building 
structure 
(economic) 





Loss of 
operations 
(economic) 








Maximum 
impact: 


Maximum 
impact: 


28 РАКТ ОМЕ 


Table 2.1 (continued) 


Building Undesired Aircraft | Vehicle| Theft | Briefcase 
Event Impact | Bomb of Bomb/ 

into Valuable | Suicide 

Building Assets | Bomber 


Loss of building M 


M L M 
structure 
(economic) 
Environmental |L L L L 
impact 
See 
L L L L 
structure 
(economic) 
Loss of L L L L 
operations 
(economic) 


Environmental |L L L L 
impact 
L L L L 


Loss of 
operations 
(economic) 


M 


Loss of building 


Maximum 
impact: 





The table completes the first step of the screening analysis, 
which is to summarize the facilities in terms of the consequence 
impacts for each undesired event for each facility. The next step is 
to group the facilities. The groups are: 


Screening Analysis 29 
Group I (one or more High consequence impact levels): 


e Building B 
e Building C 
e Building D 


Group II (one or more Medium consequence impact levels): 


e Building A 
e Building E 
e Building F 


Group III (all are Low consequence impact levels): 
e Building G 


The final step of the screening method is to rank the facilities in 
order of consequence severity: 


. Building D (3 High, 1 Medium) 

. Building B and Building C (3 High, 1 Low) 
. Building F (3 Medium, 1 Low) 

. Building A (2 Medium, 2 Low) 

. Building E (1 Medium, 3 Low) 

. Building G (4 Low) 


олыо мн 


The security risk management team at the Alpha Corporation could 
use the results of the screening analyses for planning purposes. If 
resources, time, and/or money only allow them to complete a few 
full security risk assessments for the year, Buildings D, B, and C 
would be good choices, based on consequence if attacked. There is 
danger if the screening analysis is used to delete facilities from the 
risk assessment list; screening analyses should be used to prioritize 
the facilities and to schedule the security risk assessments for the 
facilities. 


30 РАКТ ОМЕ 


2.3 SUMMARY 


A simple method for screening analysis has been presented. The 
method is based on consequence impact. If this screening method 
does not provide enough discrimination, the consequence impact 
definitions can be redefined to provide more levels of differenti- 
ation, for example very low, low, medium, high, and very high. 
Another option is that an additional parameter can be used to 
provide more refinement. Chapter 6, “Asset Prioritization,” will 
discuss a prioritization scheme that is based on both a consequence 
impact as well as a threat potential parameter. 


2.4 REFERENCES 


1. Biringer, Betty, “Risk Assessment Method for Electric Power 
Transmission,” presented at Carnahan Conference on Security 
Technology, sponsored by IEEE, Albuquerque, NM, October 2004. 

2. Matalucci, Rudy and Strothman, John, “Security Risk Assessment 
Procedures: Countering Terrorism and Other Threats,” Infrastruc- 
ture Security Course sponsored by ASCE and Sandia National 
Laboratories, Las Vegas, NV, January 26—27, 2006. 


2.5 EXERCISES 


1. Describe circumstances under which security risk managers would 
benefit from a screening analysis. 

2. What parameters and definitions in a screening analysis must be 
kept consistent and why? 

3. Discuss how the results of a screening analysis could be misused. 

4. Suppose that you were the owner or manager of a business that had 
500 buildings located across the country, and security alert condi- 
tions became elevated to a point that security managers decided 
that security effectiveness needed to be reviewed at their facilities. 
Your security team completes an initial screening analysis based 
on consequence and estimates that about 300 of the buildings rank 
at about the same relative (high) level and the remaining 200 are 
far below this. Discuss several options for proceeding, and list the 
advantages and disadvantages of each option. 


Сһарїег 3 


Facility Characterization 


3.1 INTRODUCTION 


Before a specific site security risk assessment can be launched, a 
complete characterization of the facility must be completed. The 
total environment must be captured: the security environment, the 
operations environment, and the workforce environment. Assess- 
ment team members from the site will know or be able to acquire 
the information readily. If the assessment is completed by someone 
other than site employees, collection of all of the information can 
be a substantial task. Site or construction drawings, maps, safety 
reports, site surveys, process descriptions, tours, and interviews 
are sources of information. 

The facility characterization provides the foundation for the risk 
assessment. The essential products of a complete characterization 
are shown in Figure 3.1 and include: 


e Identification of all of the undesired events 
Description of the facility 
e Identification of the critical assets requiring protection 


e Specification of the protection objectives for the security 
system 


Security Risk Assessment and Management: A Professional Practice Guide for Protecting Buildings and Infrastructures 
B. E. Biringer, R. V. Matalucci and S. L. O’Connor © 2007 John Wiley & Sons, Inc. ISBN: 978-0-471-79352-6 


31 


32 РАКТ ОМЕ 





Facility 
Characterization 














: Undesired : : Facility : : Critical | : Protection : 
: Events : : Description : | Assets : : Objectives : 


Figure 3.1 Elements of Facility Characterization. 


3.2 UNDESIRED EVENTS 


The initial task of facility characterization is to determine the 
security concerns at the specific site. Security concerns range from 
those that result in catastrophic consequences to those that are 
primarily nuisances or embarrassments. With input from manage- 
ment, the assessment team should identify a list of undesired 
events. Management is usually willing to consider expending 
resources to keep specific undesired events from occurring. For a 
security risk assessment, usually a more complete list of undesired 
events is used than that of the screening analysis. 

Undesired events are facility-dependent and are generally asso- 
ciated with loss of mission or threats to public health and safety. 
Examples of undesired events for a building are: 


e Disruption of operations 

e Theft of valuable assets 

e Crimes against people 

e Destruction of the building 

e Compromise of the information management system 
e Loss of public confidence 


Disruption of operations could involve various events, including 
sabotage of physical equipment or support systems such as the 
emergency system, power, or other utilities. Theft of valuable 
assets could be theft of assets that are important to the mission 
or impose a large economic impact. Crime against people could 


Facility Characterization 33 


be bombs, snipers, a chemical or biological attack, or a kidnap or 
hostage situation. Undesired events concerning destruction of the 
building could be due to vehicle or suitcase bombs or a result of air- 
craft impact. Compromising the information management system 
would include a cyber-attack on information systems associated 
with operations or safety systems. Loss of public confidence could 
result from any incident that causes embarrassment or destroys 
the reputation of the facility or corporation. 


3.3. FACILITY DESCRIPTION 


Collecting data to adequately describe a facility in order to complete 
a security risk assessment is of utmost importance and can be one 
of the more time-consuming tasks. A complete description of the 
facility and its operating environment is necessary. Data can be col- 
lected by team members from site reports (environmental impact 
statements, safety analyses), construction drawings, and site visits, 
including tours and interviews with personnel. The type of infor- 
mation to be collected in order to adequately describe the facility is: 


e Physical details 
e Cyber-information-system details including cyber-protection 
features 


Facility operations 
Security protection systems 


Safety protection systems 
e Workforce description 
e Restrictions, requirements, limitations 


3.3.1 Physical Details 


A physical description of the facility provides details on the bound- 
ary and all of the penetrations of the boundary as well as the 
topography and landscape of the area. The building should be 
described, including construction details, closest vehicle parking 


34 РАКТ ОМЕ 


distances, entrances and their locations, utilities, the types and 
locations of utility penetrations, room layout, door construction and 
lock description, location of fresh-air intakes, design of the heat- 
ing and ventilation/cooling system, and location of any hazardous 
materials or waste products. Any layout or structural weakness of 
the site that reveals situations or conditions that an adversarial 
threat could use to enhance their chances of success should be 
specifically noted. 

The adversarial threat to the facility is important information 
to the assessment. In practice, threat analysis may be conducted 
at the same time as facility characterization. The next chapter 
will discuss this data-gathering and threat assessment process in 
great detail. 


3.3.2. Cyber-Information System 


The architecture of the information system must be understood and 
documented in detail. The information system discussion will be 
limited to information systems associated with supervisory control 
and data acquisition (SCADA) and process control systems. All 
of the access points to the system must be documented, located, 
and described in detail. Some facilities may have a system expert 
on-site; others may contract out the design, maintenance, and 
operation of their information system. The level of information 
needed to adequately describe the information can usually only be 
obtained from the technical expert who operates and maintains 
the system. 


3.3.3. Facility Operations 


The facility operations required to accomplish the mission of the 
facility must be identified, located, and described. Any appro- 
priate policy and procedures must also be noted. The operating 
environment must be understood; the working hours/off hours, the 
required processes for normal operations, as well as changes that 


Facility Characterization 35 


occur during emergency, construction, or other conditions must 
be addressed, especially if the protection system changes dur- 
ing different operating states. Any conditions or situations that an 
adversarial threat could exploit to enhance their chances of success 
should be highlighted. 


3.3.4 Security Protection Systems 


Both the physical protection system (PPS) and the cyber-protection 
system must be described in terms of function, features, location 
and description of features, as well as any known weaknesses or 
gaps in protection. 

PPS — The PPS is made up of features that support the detection, 
delay, and response functions. 

Detection, the first required function of a security system, is 
the discovery of adversarial action and includes sensing a covert 
or overt action. The components of detection include some type 
of sensor (either equipment or personnel) that initiates an alarm, 
communication of alarm information, and assessment of informa- 
tion to determine if the alarm is valid or invalid. 

Methods of detection include a wide range of technology and 
personnel. Entry control, a means of allowing entry of authorized 
personnel and detecting the attempted entry of unauthorized per- 
sonnel and contraband, is included in the detection function. Entry 
control, where it includes locks, may also be considered a delay fac- 
tor in some cases. Searching for metal (possible weapons or tools) 
and explosives (possible bombs or breaching charges) is required 
for some high-security areas. This may be accomplished using 
metal detectors, x-raying (for packages), and explosive detectors. 
Security officers or other personnel can accomplish detection if 
they are trained in security concerns and they have the means to 
alert the authorities in the event of a security problem. 

Applicable detection information would include documentation 
of all sensors, exterior (fence, motion, door, or gate) or interior 


36 РАКТ ОМЕ 


(door, motion, proximity). Equally important is notation of how 
the sensors operate in their environment, that is, are they the 
appropriate sensors for the application; are they installed, tested, 
and maintained properly; and do they perform as expected? Also, 
are the sensors adequately protected so that they cannot be easily 
tampered with or bypassed? The security and reliability of commu- 
nication of alarms generated by sensors or personnel are important. 
The existence of a designated location where alarms can be received 
and assessed should be confirmed. Locations of personnel, work 
hours, and whether or not personnel have a reliable means to 
communicate a problem or duress should be recorded. Any entry 
control features, including badges, contraband checks, locks, and 
the policy and procedures associated with them should be noted. 

Any known gaps or problems with the detection features should 
be specifically noted in the facility characterization process. Mary 
Lynn Garcia in Vulnerability Assessment of Physical Protection 
Systems provides detailed guidance on how to identify specific 
weaknesses in the detection function. 

Delay is the second required function of a physical security sys- 
tem. Features that impede adversary progress can contribute to the 
delay function. Delay can be accomplished by fixed barriers (e.g., 
doors, vaults, locks) or traversal distances. In high-security appli- 
cations, delay is sometimes achieved by sensor-activated barriers, 
such as dispensed liquids, smoke, and foams or a protected, armed 
security personnel force. For most security applications, nonsecu- 
rity personnel are not considered a delay feature. The response 
force may serve as a delay if they arrive in time to intercept the 
adversary before the undesired event is caused. 

Traversal distances and locks are also considered delay features. 
Site layout and construction drawings can be used to document 
building traversal distances and wall, roof, and door construction. 
Lock type (key, code, mechanical, or electronic) as well as the 
procedures for who has keys or combinations should be described. 


Facility Characterization 37 


The conditions under which locks and combinations are changed 
should also be considered. 

Response, the third requirement of physical security systems, 
comprises actions taken by the security police force (law enforce- 
ment) to prevent adversarial success. Most sites are not equipped 
or legally able to have an on-site personnel protective force. The 
response force has to arrive in time to interrupt the adversarial 
action while it is still in progress. How the site communicates with 
local law enforcement and how reliable and timely the response 
could arrive should be established. Whether or not the site has 
specific agreements with local law enforcement is important. 

Cyber-protection system — The architecture of the protection 
system for the SCADA or process control system must be described 
in significant detail. All of the access points to the system must 
be identified. Systems can be accessed via modems (located on or 
off-site), the Internet, control room, alternate access points in the 
facility, communication links, or by the download of software. Any 
electronic security boundaries of the system must be described. 
Normally, cyber-systems have an exterior electronic boundary and 
one or more interior boundaries. The communication links between 
boundaries must be identified. Cyber-protection features are usu- 
ally deployed at these electronic boundaries. The cyber-protection 
system is made up of features that support the authentication, 
authorization, and audit functions. 

Authentication is the process of establishing the validity of 
a claimed identity. User authentication is the process of asso- 
ciating a computer identity with a human being. This may be 
done using mechanisms that fall into three basic categories: 
(1) something the individual knows, (2) something the individual 
has, and/or (3) something the individual is. Two-factor authenti- 
cation means authentication requiring two (or more) of the above 
factors. Whatever the mechanism is used for authentication, the 


38 РАКТ ОМЕ 


policy/procedures and practice of deriving and implementing them 
should be described in detail. 

Authorization is the process of determining what actions an 
entity is allowed to perform with respect to a given object. Autho- 
rization for access to information on systems must be controlled 
so that only authorized users can access specified information 
objects (e.g., files, database records, web pages) based upon their 
authenticated identity. A note should be made if all employees 
are granted the same access level by management or if access is 
compartmentalized. Compartmentalization means that some com- 
partments of the cyber-system require a higher access level than 
others; all employees do not have authorized access to all compart- 
ments. Because of their role in cyber-security, all process control 
network authentication servers are usually afforded the maximum 
protection that is practical. In order to maintain the confidentiality 
and integrity of these central authentication services, the number 
of persons with privileged access (e.g., root or administrator) to 
these services is kept to a minimum. 

Audit is the process of recording the actions or attempted actions 
performed by an entity within a computer system or network. 
The intrusion detection system supports the audit function. The 
major components of a cyber-intrusion detection system include the 
review of traffic data; scanners to detect any unusual occurrences, 
including any suspect ports or modems; virus protection; and 
monitors for access control. Audit features, their procedures and 
implementation in the cyber-protection system should be described 
in as much detail as possible. 

Any gaps, weaknesses, or absence of features in the cyber- 
protection system should be specifically noted in the facility 
characterization process. 


3.3.5 Workforce Description 


A description of the workforce is important to understanding the 
security environment at a facility. A listing of the types of positions, 


Facility Characterization 39 


as well as the authorization that is afforded to each position 
in terms of unrestricted access to the site, key operations, and 
information systems. Typical types of positions are: 


e Managers 

e Operators/technicians 
e Security personnel 

e Administrators 

e Custodians 

e Maintenance personnel 
e Contractors 

Vendors 

Visitors 


Any pre-employment background investigation programs should 
be described. Some corporations complete a check with local law 
enforcement, credit institutions, or past employers before hiring. 
Special note should be made if investigations are only completed 
once, before employment, or if periodic re-evaluations are con- 
ducted after employment begins. Some institutions conducting 
national-security-level projects might require a government-issued 
security clearance and/or certification in a human reliability pro- 
gram that impose very stringent background checks and personnel 
screening prior to employment. 

The general work environment should be evaluated and under- 
stood. Any past or present issues with labor relations should be 
noted. Any past insider incidents of disgruntlement, violence, or 
crime should be included in the workforce description. 


3.3.6 Restrictions, Requirements, Limitations 


Some facilities and/or industries are subject to compliance require- 
ments by the government, owner, or operator. The terms of legal 
requirements or limitations should be described. Note of limita- 
tions or restrictions imposed by process operations will be helpful 


40 РАКТ ОМЕ 


in considering protection system upgrades, if needed. Examples 
include environmental regulations, safety requirements, opera- 
tional limitations, or labor union requirements. 


3.4 CRITICAL ASSETS 


Once the undesired events have been specified and the facility 
described, the next step in facility characterization is to determine 
what specific assets must be protected to prevent the undesired 
events from occurring. The assets that must be protected in order 
to prevent the undesired event are labeled the critical assets. For 
some applications, identification of the critical assets can be done 
by simple observation or inspection. For example, in a jewelry 
manufacturing facility, if the undesired event is to prevent the 
theft of precious gems, the gems are the obvious critical assets. In 
more complex systems, critical assets may not be so obvious, and a 
logic diagram may be required to identify all of the ways that the 
undesired events can occur and what assets must be protected to 
prevent the undesired events from occurring. 


3.4.1. Generic Fault Tree 


A fault tree is a logic diagram. The fault tree graphically represents 
the components and subsystems of events that can result in a 
specified undesired event. Identification and evaluation of the 
specific assets that make up the components and subsystems that 
are important to the occurrence of the undesired event leads to the 
identification of the critical assets that must be protected in order 
to prevent the undesired event. “Appendix A: Generic Fault Tree 
for Buildings” contains definitions for fault tree terms and a generic 
fault tree for various undesired events associated with buildings. 

Two kinds of logic gates are used in the generic tree for a building, 
the AND gate and the OR gate. Gates have inputs and may or may 
not have an output. Inputs enter the bottom of the gate; outputs 
exit the top of the description rectangle above the gate. 


Facility Characterization 41 


The shape of the AND gate is a round arch with a flat bottom. 


D— 


For the undesired event described above the AND gate to occur, 
all of the events that input into the AND gate must occur. Thus, if 
any one of the input events can be prevented, the event described 
above the AND gate will be prevented. 

The shape of the OR gate is a pointed arch with a curved bottom. 


D 


For the undesired event described above the OR gate to occur, 
any one (or more) of the events that input to the OR gate must 
occur. All of the input events must be prevented in order to prevent 
the event described above the OR gate. 

The TRANSFER operation is represented by an upright triangle. 


Z\ 


The transfer operation is used to make the graphic display of the 
logic tree more compact and readable or to develop common logic 
only once. Because many logic diagrams, as they are developed, 
occupy a wide left-to-right space across the page, it might be 
necessary to disconnect the development of an event and place it 
at a more convenient position on the page or on another page. 
To connect the event and its development without drawing a line 
between separate figures, the transfer symbol is used. In another 
use of the transfer operation, the same event or tree branch may 
apply more than one place on the tree; the event will be developed 
once, and the transfer symbol will be used to delineate all of the 
places on the tree that the branch feeds into. The number inside 
the triangle identifies the logic development. 


42 РАКТ ОМЕ 





Adversary Causes Disruption of 
Building Mission 


р 


У У У У + У 














Disrupt Normal Compromise Compromise Disable/Misuse Disable/Misuse Disable/Misuse 
Work Operations} Structural Health and Utilities HVAC Emergency 
Integrity of Safety of Systems 
Building Occupants 









































A A A A A A 


Figure 3.2 Tree Top for Generic Fault Tree for Building. 


Figure 3.2 provides the top level of the generic tree for buildings 
for the adversary causing a disruption of building mission. Note 
the OR gate at the top; the adversary can cause disruption 
of building mission by (1) disrupting normal work operations, 
or (2) compromising the structural integrity of the building, or 
(3) compromising the health and safety of occupants, or (4) disab- 
ling or misusing the utilities, or (5) disabling or misusing the 
heating, ventilation, and air conditioning (HVAC), or (6) disabling 
or misusing the emergency systems. The transfer symbols below 
each event rectangle identify the logic development that fits below 
each undesired event. An example of the logic development for 
each of the tree branches numbered 1 through 6 is provided in 
“Appendix A: Generic Fault Tree for Buildings.” An informal fault 
tree can be used as a valuable aid to the general thought process 
when discovering and enumerating critical assets. A more formal 
fault tree can be used to identify the root causes for undesired 
events in complex systems. More information on fault tree analysis 
can be found in the Fault Tree Handbook published by the U.S. 
Nuclear Regulatory Commission. 


3.4.2 Identifying Critical Assets 


The generic fault tree can be modified to describe a particular facil- 
ity. The modification process includes removing the tree branches 


Facility Characterization 43 


that do not apply, adding any that have not been included in the 
generic tree, and developing all branches of the tree to the extent 
that the specific critical assets that must be protected in order to 
prevent the undesired event can be specified. The completed tree 
that has been modified for a facility can be used not only to identify 
the critical assets that must be protected but also to outline strate- 
gies or even scenarios for causing the undesired events. Because 
of the sensitivity of the information provided by the site-specific 
fault tree, the tree should be well protected and controlled because 
it would provide sensitive information to an adversary if it got into 
the wrong hands. 

The tree branch for electric power can be used to demonstrate 
some of the concepts that have been discussed. Electric power is 
required for various operations at an example site and so logically 
it is an input to several places on the generic fault tree for building 
mission. The branch of the tree that develops the logic for electric 
power at an example building can be developed once and then the 
transfer symbol can be used to show all of the places where the 
tree branch for electric power would fit (Figure 3.3). 

Note the AND gate indicated on the first level: the adversary 
would have to defeat the commercial power system and the 
emergency generator system and the uninterrupted power sup- 
ply (UPS) batteries in order to eliminate the electric power at 
the example site. The generic tree can be made site-specific for 
the example facility by eliminating features that are not present 
and further developing existing features. In Figure 3.2, the dashed 
lines represent the additions to the generic building tree to make it 
site-specific for an example facility. Locations can be identified for 
specific features, such as the transformer vaults and the substation 
for the commercial power system; the emergency generator system 
can be further described in terms of the adversary defeating the 
diesel fuel system (either the storage tank or the fuel lines) or the 
cooling system or the auto start system. 


44 РАКТ ОМЕ 





A Electric Power 









































y 
Emergency 
Generator B n 
System atteries 
o дЫ Кон с: 
Transformer] = Substation ! : : : Air Cooling | : | 
Vaults | (Offsite) £ : Diesel Fuel TI System |: Auto Start : 
па а оао 
: Transformers : - Transformers: Storage Tank: È Fuel Lines 


: Location1 1: Госайоп2 : 


Figure 3.3. Modification of Generic Tree for Example. 


If electric power is required for the example building mis- 
sion, some of the critical assets to be protected would be the 
assets described at or near the bottom of the tree, namely, the 
transformers, the substation, the diesel storage tank, diesel fuel 
lines, components of the cooling system, and components of the 
autostart system. 


3.5 PROTECTION OBJECTIVES 


The final product of the facility characterization process is a clear 
statement or list of the protection objectives for the specific site. 
These objectives will be the metric used later to determine whether 
or not the protection system performs systematically to achieve 
the prescribed protection objectives. The protection objectives are 
derived by the security risk analysis team together with risk 
managers and are based on the information collected and mod- 
eled in facility characterization together with the specific security 
concerns. 


Facility Characterization 45 


Usually, the protection objectives for a building protection system 
include preserving the mission of the building. More specifically, 
protection objectives might include some subset of preventing: 


e Disruption of normal work operations 

e Compromise of the structural integrity of the building 
e Compromise of the health and safety of occupants 

e Disabling or misusing the utilities 

e Disabling or misusing the HVAC 

e Disabling or misusing the emergency systems 


Additional protection objectives might also be associated with lower 
consequence events such as vandalism, petty theft, or embarrass- 
ment. The complete list of protection objectives must be specified 
before the remainder of the analysis can be completed, and the 
list must be kept consistent until at least the first iteration of the 
analysis is completed. 


3.6 SUMMARY 


A process has been presented for completing the facility characteri- 
zation step for a security risk assessment. Facility characterization 
information is fundamental for completion of the risk assessment. 
The products that are required to complete further assessment 
include: 


e List of undesired events 

e Complete facility description 

e List of critical assets to be protected to prevent undesired 
events 

e List of protection objectives for the security system 


The next chapter will discuss another important element of security 
risk assessment, which is the description of the adversarial threat 
to the facility. 


46 


РАКТ ОМЕ 


3.7 REFERENCES 


. Biringer, Betty, “Risk Assessment Method for Electric Power 


Transmission,” presented at Carnahan Conference on Security 
Technology, sponsored by IEEE, Albuquerque, NM, October 2004. 


. Fault Tree Handbook, U.S. Nuclear Regulatory Commission, 


NUREG-0492, January 1981. 


. Garcia, Mary Lynn, The Design and Evaluation of Physical Protec- 


tion Systems, Butterworth-Heinemann, Burlington, MA, 2001. 


. Garcia, Mary Lynn, Vulnerability Assessment of Physical Protection 


Systems, Butterworth-Heinemann, Burlington, MA, 2006. 


. “The International Training Course for Nuclear Facilities and 


Materials,” Sandia National Laboratories and the International 
Atomic Energy Agency, 30 April-19 May 2006, Albuquerque, NM. 


. Matalucci, Rudy and Strothman, John, “Security Risk Assessment 


Procedures: Countering Terrorism and Other Threats,” Infrastruc- 
ture Security Course sponsored by ASCE and Sandia National 
Laboratories, Las Vegas, NV, January 26-27, 2006. 


. Wyss, Gregory D. and Daniele, Sharon L., “Introduction to Fault 


Tree Analysis,” ARRAMIS Training Course, Sandia National Lab- 
oratories, Albuquerque, NM. 


3.8 EXERCISES 


. How are undesired events established for a specific site, organiza- 


tion, or industry? 


. List the types of information required to complete a facility descrip- 


tion. 

a. What are some sources for the information? 

b. Define the list of participants and their roles in completing a 
facility description. 


. Why is it important to understand the workforce at a given facility 


before completing a security risk assessment? 


. What are the benefits for using a generic fault tree in facility 


characterization? 


. Discuss how to make the generic fault tree for buildings a site- 


specific fault tree. 
a. What are some applications for a site-specific fault tree? 


Facility Characterization 47 


b. Discuss the relationship of critical assets to a site-specific fault 
tree. 
6. List possible protection objectives for a typical commercial building, 
a military installation, and a government building. 
7. Discuss the importance of having a complete facility characteriza- 
tion. Discuss possible ramifications of incomplete information. 


Сһарїег 4 


Threat Analysis 


4.1 INTRODUCTION 


A description of the adversarial threat is one of the most important 
components of any security analysis. The objectives of a threat 
analysis are to define the malevolent threat to a facility, corpo- 
ration, region, or industry and to organize the collected data into 
a usable form that supports security risk management decisions. 
Threat analysis identifies and describes the types of adversaries 
(malevolent persons or groups) that may try to attack a particular 
facility. The most complete description possible of the malevolent 
adversarial threat spectrum is required. This description is used 
to estimate the relative likelihood that an adversary group will 
decide to attack a specific facility; the threat description is also 
key information used to estimate protection system effectiveness. 
Threat analysis provides this critical information. 

Threat analysis is usually completed by a threat specialist with 
contacts in local, state, and national law enforcement organi- 
zations. Threat information is sensitive and must be protected 
accordingly because the threat level most often determines the 
level at which the facility will be protected. Threat analysis is 
a continuous process. After an initial analysis is completed, the 
threat description should be updated both periodically and as new 
adversarial threat information becomes available. 


Security Risk Assessment and Management: A Professional Practice Guide for Protecting Buildings and Infrastructures 
B. E. Biringer, R. V. Matalucci and S. L. O’Connor © 2007 John Wiley & Sons, Inc. ISBN: 978-0-471-79352-6 


49 


50 РАКТ ОМЕ 












































Collect Derive Describe 
Information | Adversary | Adversary 
on Potential Spectrum Capabilities 
Threat Кш 
| Тһгеаї 
Estimate Definition 
Threat 
Potential 











Figure 4.1. Threat Analysis Process. 


Figure 4.1 depicts the process for conducting a threat analysis 
that is discussed in this chapter. Each step of this threat analysis 
process is developed in detail. This chapter provides a method and 
guidance for conducting a threat analysis by addressing how to: 


e Collect information on the potential threat 

e Derive an adversary spectrum for a given application 

e Describe adversary capabilities 

e Estimate the threat potential or likelihood of attack for 
specific adversary groups for a given asset 

e Define the adversarial threat for a given entity 


4.2 SOURCES OF THREAT INFORMATION 


The threat analysis is usually completed by a threat specialist who 
has established ties and maintains contact with local, state, and 
federal law enforcement agencies, such as the Federal Bureau of 
Investigation (FBI). These and other sources of threat information 
are discussed below. 

Threat information is sensitive. For the threat specialist to 
obtain threat information from any source, he or she must pro- 
vide a credible need-to-know and instill confidence in the contacts 
that threat information will be properly protected and used with 
discretion. Information that identifies and describes the threat in 
a locale, region, and/or a specific industry or facility should be 
collected. 


Threat Analysis 51 


4.2.1 Local and State Sources 


Local sources of threat information include the site’s security man- 
ager, local law enforcement, and state or regional law enforcement. 
Site personnel who have been most successful in obtaining adver- 
sarial threat and local crime information are those who foster 
open and regular dialogue and a friendly relationship with local 
law enforcement officials. The advantage of inviting local law 
enforcement to the site for a tour of the facility and discus- 
sion — so that they know the facility and understand the security 
concerns — should never be underestimated. In many cases, law 
enforcement officers will share neighborhood and local crime infor- 
mation with site security managers. 

Many states have organized threat and investigation working 
groups, formed primarily to address the terrorist threat. The con- 
cept of the Joint Terrorist Task Force (JTTF) has gained support 
in many states. In 1979, the New York City Police Department 
first used this concept of combining federal and local law enforce- 
ment capabilities in response to an overwhelming number of bank 
robberies. The concept of a joint effort proved to be valuable, so 
administrators eventually applied it to the counterterrorism pro- 
gram. The idea behind the establishment of the JTTF is a simple 
one: once established, the task force remains in place, becom- 
ing a close-knit, cohesive unit capable of addressing the complex 
problems inherent in terrorism investigations. 

Following this JTTF concept, some industries with common 
interests formed alliances to meet and share threat information. 
Some of these groups established networks for reporting suspi- 
cious incidents to participating members. For example, in 1997 
the Interagency Forum for Infrastructure Protection (IFIP) was 
formed to address a common task of meeting Presidential Decision 
Directive #63, which required all owners of critical infrastructure 
facilities to provide a plan for protecting their facilities against 
the international terrorist threat. The IFIP includes owners of 


52 РАКТ ОМЕ 


federal dams and hydroelectric power producers. Members of IFIP 
include the Bonneville Power Administration (BPA), SNL, the U.S. 
Bureau of Reclamation (USBR), the U.S. Army Corp of Engineers 
(USACE), the Tennessee Valley Authority (TVA), the Western 
Area Power Administration (WAPA), the Federal Energy Regu- 
latory Commission (FERC), and the FBI. This group developed 
security risk assessment methodologies for federal dams and high- 
voltage electric power transmission, and they continue to share 
lessons learned and threat information. The USACE has estab- 
lished a timely reporting and threat information-sharing system 
for unusual security incidents. 


4.2.2 National Sources 


Before September 11, 2001, sources for information on malev- 
olent threats were limited to literature and Internet searches, 
crime studies, information sharing within professional organiza- 
tions, and scant intelligence information. These sources continue to 
provide information on adversarial threats and crimes, but in the 
post-9/11 United States, the most timely and complete threat infor- 
mation is provided by the FBI and the Department of Homeland 
Security (DHS). 

DHS provides information on the current threat level in the 
country through the Homeland Security Advisory system, which 
includes Homeland Security Advisories and Homeland Security 
Information Bulletins. The office of Science-based Threat Analy- 
sis and Countermeasures (STAC) in DHS has a mission objective 
to “improve our understanding of current and future threats” 
and a goal of characterizing and communicating current and 
future threats. One of the STAC Program Office’s five core pro- 
grams is Knowledge Discovery and Dissemination. This program 
implements a state-of-the-art information analysis architecture to 
acquire and maintain terrorist threat data and to provide real-time 
analysis and information processing for policy makers, intelligence 


Threat Analysis 5З 


analysts, law enforcement officials, human and animal health-care 
communities, and other decision makers. 

The FBI operates the National Threat Center. The National 
Threat Center administers Counterterrorism Watch and other 
units related to threat management, such as: 


e The Public Access Center Unit, which receives threat infor- 
mation from the public and forwards it to the appropriate 
unit 

e The Terrorist Watch and Warning Unit, which produces 

finished intelligence products for the law enforcement com- 

munity (such as Intelligence Bulletins and Special Event 

Threat Assessments) 

The Threat Monitoring Unit, which collects threat informa- 

tion, looks for patterns and connections, and provides “raw” 


threat-related intelligence reports 


In addition, the FBI maintains the National Security Threat List 
(NSTL), which includes an Issues Threat List and a Country Threat 
List. The Issues Threat List is a list of eight categories of activ- 
ity that represent a national security concern. These categories 
include terrorism, espionage, proliferation, economic espionage, 
targeting of the national information infrastructure, targeting the 
U.S. government, perception management, and foreign intelligence 
activities. The Country Threat List is a classified list of foreign 
powers that pose a strategic intelligence threat to U.S. security 
interests. 


4.3 ADVERSARY SPECTRUM 


The challenge is to organize all this collected adversarial threat 
data into a meaningful description that can be used in security 
analysis and made available to security risk decision makers. 
Because threat analysis is the process that answers two ques- 
tions — Who is the threat? What is the level of severity of the 


54 РАКТ ОМЕ 


threat? — the first step is to determine the types of adversaries in 
the threat spectrum. 

In general terms, adversaries can be categorized as outsiders, 
insiders, or a collusion group. An outsider is a person who does not 
have official business with the facility and has not been granted 
routine access to the program, facility, or site. An insider is a person 
with authorized access to the facility or vital information about the 
facility; this person may be an employee, contractor, vendor, or 
visitor. The collusion group uses a secret agreement or cooperation 
between insiders and outsiders for illegal or malevolent purposes. 

Outsiders can further be categorized as international terror- 
ists, domestic terrorists, criminals, extremists, vandals, foreign 
intelligence personnel, and psychotics. 

Terrorists — Terrorist groups have ideological, political, or 
issue-oriented motivations. They commonly work in small, well- 
organized groups or cells and can be very sophisticated in their skill 
levels. Most terrorist groups have technical training, are skilled 
with tools and weapons, and plan efficiently. International terror- 
ists include groups like Al Qaeda or Hamas; domestic terrorists 
might include ecological terrorists, white supremacist groups, and 
the more violent environmental or animal activist groups. 

Criminals — Criminals are persons who commit criminal acts 
for profit or economic gain. White-collar criminals are individ- 
uals who seek classified and/or proprietary information for the 
purpose of gaining economic advantage for the individual or the 
individual’s employer. 

Extremists — Extremists work in small, well-organized groups. 
They are politically or issue-oriented, acting out of frustration, dis- 
content, or anger against other social or political groups. Their goals 
range from publicity to damage and destruction; most extremists 
are mere protesters, those that are more violent and destructive, 
such as ecological terrorists, are considered to be in the terrorist 
category. 


Threat Analysis 55 


Vandals— Vandals are unsophisticated and superficially 
destructive in nature. They do not intend to injure people or cause 
extensive damage to targets. Their targets are usually targets of 
opportunity — whatever happens to be located in the vicinity of 
where they are. Computer hackers could be considered a type of 
vandal. 

Foreign intelligence personnel — The foreign intelligence offi- 
cer is an individual who uses human intelligence methods and 
engages in clandestine intelligence gathering on behalf of a for- 
eign intelligence service. His or her primary function is to collect 
information and/or recruit insider assistance. 

Psychotics — The psychotic is a person suffering from a mental 
disorder of sufficient magnitude to experience periodic or prolonged 
loss of contact with reality. Psychotics can fit in the outsider or 
insider parts of the threat spectrum. 

An insider can be defined as anyone with knowledge of operation 
or security systems and who has unescorted access to facilities or 
security interests. The insider threat can range from a person who 
is passive (only provides information) or active nonviolent (facil- 
itates entrance and exit, disables alarms and communications, 
and the like) to the active violent (actively participates in a violent 
attack). Although having more than one insider is possible, empha- 
sis is placed on addressing the single insider, the most probable 
insider threat. 

Addressing the insider threat can be difficult because of the social 
sensitivities (of employees feeling like they are being watched or 
suspected) and the challenge of protecting against an insider whose 
very job assignment grants him or her authorized access to crit- 
ical assets and/or the equipment that protects and monitors the 
critical assets. A more acceptable analytic method for addressing 
insider threats is to identify all of the types of employment posi- 
tions at the facility and then consider the access and authority 
advantages afforded by each position. The analysis can become 


56 РАКТ ОМЕ 


more objective when the question considered is ZF there were ап 
insider in this employment position, how effective is the protection 
system? The focus becomes how often does someone in this job 
position have lone access to the critical asset, lone access to the 
protection system or monitoring system of the asset, or opportunity 
to collude with an outsider. At some point, management is faced 
with the likelihood that one of their employees might decide to 
become an insider adversary. For managers of critical operations 
or high-consequence facilities, considering the threat potential of 
an insider threat must be addressed. For many facilities, certain 
employment positions afford individuals ‘the keys to the kingdom.’ 
This unlimited access must be considered when analyzing the 
insider threat. 

The collusion threat usually takes the form of a single insider 
supporting a group of outsiders. An active insider participates 
fully in the attack; a passive insider provides information about 
the facility operations and safeguards to a group of outsiders. 


4.4 ADVERSARY CAPABILITY 


For each adversary group that is identified, the most complete 
description possible is developed for use in designing and/or 
evaluating the effectiveness of a protection system. The type of 
information sought in the data collection task for each adversary 
group includes: 


e Motivation 

e Tactics 

e Intelligence-gathering means 
e Targets of interest 

e Expected number in group 

e Equipment 

e Transportation 

Weapons 


Threat Analysis 57 


e Explosives 

e Technical skills/knowledge 

e Financial resources 

e Potential for collusion with an insider 


Motivation — This is generally based on goals and objectives. 
Threat motivations are described as economic (desire for financial 
gain), ideological (linked to political or philosophical system), or 
personal (related to special situation of specific individual — host- 
ility, grievance/revenge, psychotic, economic gain). Motivation 
is related to the desired level of consequences: make a state- 
ment, cause mass casualties, create terror, or cause economic 
crisis. 

Tactics — This describes the type of tactics the group has used or 
might be expected to use. Tactics include a suicide bomb, a standoff 
attack, an intrusion, sabotage, destruction, and/or cyber-attack. 

Intelligence-gathering means — This addresses how the group 
gets information, namely through documentation, human intelli- 
gence, signal intelligence, photographic intelligence, and/or physi- 
cal or cyber-surveillance. 

Targets of interest — This demonstrates past or current inter- 
ests: financial institutions, critical infrastructure elements, recre- 
ational sites, religious facilities, or a specific industry (chemical 
facility, animal research institute, or the like). 

Expected number in group — The total number of adversaries 
expected in an attack and whether or not the group is broken up 
into smaller groups or cell. 

Equipment — This includes the types of equipment that the 
group both has access to and has the skill to operate: heavy 
construction equipment, hand tools, power tools. 

Transportation — This describes the type of transportation that 
the group might use in an attack: aircraft (jet liner, helicopter, 
ultra-light), boat, motor vehicle (truck, van, sedan). 


58 РАКТ ОМЕ 


Weapons — This lists the types of weapons that the group has 
access to and is trained to use: handguns, rifles, shotguns, auto- 
matic weapons. 

Explosives — This describes the types of explosives that the 
group might be expected to use: bulk, shaped charges, improvised 
explosives. 

Technical skills/knowledge — This includes technical train- 
ing and experience: engineers, scientists, special combat forces, 
explosives handlers. 

Financial resources — This describes the source of money to 
conduct attacks: self-financed, state-sponsored, organized crime. 

Potential for collusion with insider — This predicts the pot- 
ential for collusion with an insider or an interest in colluding with 
an insider. 

After all threat information for each adversary group has been 
collected, a table, like the example in Table 4.1, can be constructed 
to organize the information. The table is valuable for risk man- 
agers and security analysts who design and/or evaluate security 
system effectiveness. In addition, the summarized threat informa- 
tion can be used to assess the threat potential for attack for a given 
adversary group and facility. 


4.5 THREAT POTENTIAL FOR ATTACK 


For security risk analysis, unlike safety risk analysis, estimating 
the likelihood of the initiating event is difficult at best. Ideally, 
security and safety risk analyses could share methodologies for 
estimating risk parameters. Unfortunately the differences between 
these two analyses are too significant for a shared methodology. 
A primary difference can be found when estimating the likelihood 
of the initiating event. Safety studies have historical data and 
statistics that predict the likelihood of an abnormal event and the 
system’s response to the event. For security studies, estimating 
the likelihood that an adversary group will attack a specific asset 


59 


Threat Analysis 





ојдога 
“Sonsst 
те}чәшиол 
тамо Чу 
Бә 
‘вәт 
упошилолов 
oywedg 


ләдХә “повӊте 
“ләйтив 
‘803500 
поло 

отуда олуе ве) 


60021 
течоцеи 
5398163 

3105 'олпд 
-опл вел 
TET 
“в1пәлә 
течотуеџ 
AYTTIQISTA 
-ysty ‘әтоәд |2тцӣ0л35е3в2 7) 


78әләЈи] 


JO 8138401, S9120], 


оотовла 
ssoursnq 
asueyo 
“үпәшә?]в1}8 
теопцод 

в одеш 
‹чәшиләлов 
oy} ysurese 
PEPA 


SISLIO 
этшоподә 
‘edur 


ге2130тоцоква 


‘reoy 
реәлӣѕәртм 
‘soryyenseo 
вези 


иотроатој 





вәдләр 
Алетрџеош 
‘orqsureys 
p% SOAL 
-sojdxə 
а8от}ешоупе 
“вип8риең 


отаулшецо 
p SOAL 
-sojdxə 

а зопешојпе 
“вип8риең 


зиодра 


1уеләлте 
‘eoq ANI} 
PXP 
‘dnyprd “еә 
‘SPITA 
италлој- У 


отаучшәцә 
"дошле 
Крод “81003 
зәмоа 


pue pueg 


1уеләлте 
“әЗгед 
‘eoq Anag} эшо? 
лојтелу SSOTOITM 
-Tules| 'оталџоцо 
HNI} "дошле 
‘p x p| Арод "51003 
‘dnyord |1zamod/puey 
“тегу рәш" 


зајотјад |јигшатрлт 


Атешшпс }үеәлц у јемезлолруу јеодоцјодлн 





ватарвагару 


Jo ‘ON 





(surpnyyoo 
лортеш че 
орпјош Кет) 
езү %9 

02% :3851л0лләј, 
опвошо( 


(ватрп|јоо 
лорташ че 
Əpnpur Len) 
151л0ллој, 
течотеилојиј 





«ловагару 
Јо ә, 


by ajqel 


РАКТ ОМЕ 


‘QOUBOYIUSIS 
тез 
-чәшоллАПӘ 
ло тест од 
Чим 
волови 
syueq 

se yons 
‘sjosse onj[ea 
-этшоподә 
-Ч8їН 


ysa1aquy 


(ләдК^ә) 
Зиатуәец 
"дотјоплувор 
‘aseuleq 


ләдКә 
"дотјоплувор 
“әзешер 
‘qmesse 
“доме 
-тродозтр 
Ато 893014 


ләдә “әј 
Күләйолд 


шәтерие д 


35әзола 
‘09019335 
Теәтдцоа 

e IJEN 


"Аалодола 
[2946 "ше 
тетомеш 


45232 ШОзПе 
‘єопзроен |апуәта ‘ед 


snq 
‘eoq QNI} 
Px? 
‘dnyord 
“тегу 


вајпјо 
"ваотлор 
Алетрџеоиј 


SOATUY | YON] ‘PX F 
а 8232ШО}пе 


‘sunspuey 


81003 
puey “83201 
‘sureyo 
‘80816 


Н 


Е 


вләўәен 
/spepue A 


Е 


60 


Јо 8798101, 8213201, иооацоуу 








Salipsiaapy| Aipsiaapy 
suodpay, зајотуад |quaudinby| fo on 


(рәпииоо) ү әде 


61 


Threat Analysis 





ләдтүеә әдлет рив ‘ѕиойвәм әтуешозпе 
‘влороәл ло 51032913000 {ләшлој рие зџәѕәла) ѕәәҝоүішә ѕе цопѕ ѕйпол8 38әләит-үетәәйѕ әроүәош ѕләрѕит „ 


"(в)да Лота ше 
MOTOS 
‘quourdinbe 
рив (=)јәѕѕе 
Кое 


wopuey 


seo dure 
лортеш 
‘sjonpoid 
"дотешлојиј 


282121и] 
JO 8138401, 


ләдә "јеча 
“әәчәтотл 
‘10132023890 
чопоплјвор 
“QDU9[OTA, 


8213201, 


ponunassıq 


шориеу 
лортеш 
угалоол “ойт 
Аледотлаола 
aon 


-еоуіѕѕето 03 


sso00e UTBY) 


иолуоатуору 





"отлу ләүтелу-тшәв ло зәплу “Ч@пз{әта “тез (рәтлтеә-әүәтчәл) вәлтвоТахо у 
"ашод зова ова 1o quoq ədrd Аллео ртпоз човлод suo yeys од родтшу га ртпом (ротллео-ривц) волтвојах ој 5 


‘oqo 
‘suns pueH 


зиодра 


oq F x p 
«азота “тегу 


лед) 


53191424 


1чәшатпрә 
9118-00) 


[003 риенң 


818978135 
зицләцје8 
-әәпәЯ 
"реја 
чештн 


quawdinby 





ватарвагару 


Jo ‘ON 


(panuluo2) 





‘suodeom 


sor} [iqedeo esues-Suo] YIM Sopit ‘sunsyoys зорпјошт Атиодвом зо ода], а 


лото 


"те чбтолод 


«ловагару 
Јо әк, 





by ajqel 


62 РАКТ ОМЕ 


presents a challenge because of the human element. Humans 
plan, rehearse, learn, and modify in order to optimize the attack’s 
effectiveness; the events are not random, and many of the required 
mathematical assumptions cannot be met. Human behavior is 
difficult to predict and providing a quantified prediction of human 
behavior is an even more difficult task. 

Historical adversary attack data, even if it were available, would 
not necessarily predict whether an adversary group would attack 
a particular facility/asset. Adversaries, especially those motivated 
by ideology, have very subjective reasons for attacking a particular 
target and they gather data, conduct surveillance, and rehearse 
until they are confident of their success. Even though likelihood of 
attack is difficult to quantify, adversaries must go through some 
logical process to determine the target. The logical process could 
vary because of variations in motivation, capability, and tactics 
among adversary groups. 

The process for estimating the threat potential follows a complete 
threat definition. Estimating threat potential is an attempt to 
estimate the likelihood that an adversary group would decide to 
attack a particular facility or entity and will later be referred to as 
likelihood of attack. For the insider threat, threat potential is the 
likelihood that an insider is an adversary. 


4.5.1 Outsider Threat 


A qualitative relative threat potential parameter is used to replace 
the likelihood of adversary attack for a specific facility. The method 
to estimate the threat potential follows a complete threat defini- 
tion and the parameter is estimated for a specific facility and 
adversary group. The parameter is based on characteristics of this 
adversary group, such as capability, historical actions, and current 
intent, as well as target attractiveness of the facility/asset to the 
adversary group. 

The assessment method for estimating threat potential produces 
a qualitative threat potential parameter for a given adversary 


Threat Analysis 63 


Table 4.2 Factors for Estimating Threat Potential 


Adversary Capability Adversary History/ |Relative Attractive- 
Intent ness of Asset to 
Adversary 


Access to region 


; Historic interest |e Desired level of 
Material resources 


Technical skills Historic attacks consequence 


И Current interest |e Ideology 
skills in site e Ease of attack 


Current 
surveillance 
Documented 
threats 


Financial resources 








group and undesired event for a facility/asset. The factors used for 
estimating threat potential are divided into three sections and are 
illustrated in Table 4.2. The first factor is a Yes/No question (Is the 
adversary capable of the attack?) that assesses the threat potential 
as very Low or High. The second and third factors are considered 
after a Yes answer to the capability question and are evaluated 
individually by a scoring process and then combined (summed) to 
provide a relative score for adversarial threat potential. 

The first factor addresses adversary capability. Capability estab- 
lishes whether the likelihood of attack is very low or greater. If 
adversaries are not judged to be capable of causing an undesired 
event at the facility and achieving the level of consequences, the 
threat potential is judged to be very low. The other two factors fur- 
ther refine the likelihood of attack. The second section addresses 
the history/intent for adversary groups that are judged to be 
capable of causing the undesired event. Finally, the third section 
considers the relative attractiveness of the target to the specific 
adversary group. 

Capability determines whether the adversary is assessed to have 
or has demonstrated the capability to conduct an attack on the 


64 РАКТ ОМЕ 


facility. Adversaries are usually described in terms of the degree 
of capability they have in several categories. A non-zero degree of 
capability in every category is necessary; whether an adversary has 
these aspects of capability can usually be discovered. An analyst 
can deduce limits on the severity of attack that an adversary can 
mount by the degree of capability. Based on the threat data gath- 
ered, the first questions to ask are whether the adversary group 
is located near or able to gain access to the region and whether 
they are expected to have the material resources, technical skills, 
planning/organization skills, and financial resources to attack the 
facility. If the answer is No, then threat potential is judged to be 
Very Low. If the answer is Yes, the analysis continues. Table 4.3 
summarizes this first step in the assessment method. 

If the specified adversary group is judged to be capable of 
a successful attack on the facility, the threat potential is esti- 
mated by a relative score based on History /Intent and the Relative 


Table 4.3 Assessing Adversary Capability 


Capability: Is the adversary group If YES, |If NO, 

capable of conducting a successful continue |Threat Potential 
attack on this facility? To answer the Is Very Low 
question, consider the threat description. Stop 

Is the adversary group: 


Located near or able to gain access to 
the region? 


Expected to have the material resources 
to attack this facility? 


Expected to have the technical skills to 
attack this facility? 


Expected to have the planning/ 
organizational skills to attack this facility? 


Expected to have the financial resources 
to attack this facility? 











Threat Analysis 65 


Attractiveness of the Facility /Asset to the adversary group. Scores 
are associated with the answer that most accurately describes 
specific items of interest. If it is judged that some items have a 
greater impact on threat potential, they can be assigned a relatively 
higher score. 

History/Intent — The cumulative score for History/Intent is 
based on historic and current interests of the adversary group. 
History is captured by past interests (evidence that this adversary 
group has shown interest in this type of facility or this specific facil- 
ity) and attacks (evidence that this adversary group has conducted 
similar attacks in the past at this facility or this type of facility). 
Current interest is described by current interest in the facility 
(information suggests interest in the facility), current surveillance 
(existence of intelligence information regarding this site or sim- 
ilar facility), and documented threats (existence of documented 
threats to the facility). Table 4.4 summarizes this second step of 
the method. 

Relative Attractiveness of the Facility/Asset — The scope for 
Relative Attractiveness of the Facility/Asset is based on attributes 
of the facility relative to the interests of the adversary group. 
Relative Attractiveness of the Facility/Asset is captured by con- 
sequence (whether or not the estimated level of consequence for 
the attack is consistent with goals of the adversary group), ideol- 
ogy (whether or not attacking this facility is consistent with the 
ideology/motivations of this adversary group), and relative ease of 
attack (perception of how easy it is to defeat the protection sys- 
tem and/or how easily the undesired event can be accomplished). 
Table 4.5 summarizes this step of the assessment method. 

Threat potential is then estimated by first summing all scores for 
History/Intent and Relative Attractiveness of the Facility/Asset. 
The total scores can be partitioned into bands to estimate a 
threat potential factor per adversary group and facility/asset. For 


66 


РАКТ ОМЕ 


Table 4.4 History/Intent Assessment 


Historic 
interest 


Current 
interest in 
facility 


If there is 
documented 
evidence that 
historically 
this adversary 
group has 
shown interest 
in this type of 
facility or this 
specific 
facility, 

Score = 5. 


If there is 
documented 
evidence that 
this adversary 
group has 
conducted 
similar 
attacks in the 
past at this 
facility or this 
type of facility, 
Score = 5. 


If current 
information 
suggests 
interest in the 
facility, 

Score = 10. 


If there is 
speculation, 
but no 
evidence that 
this adversary 
group has 
shown interest 
in this type of 
facility or this 
specific 
facility, 

Score = 3. 


If there is 
speculation, 
but no 
evidence that 
this adversary 
group 
conducted 
similar 
attacks in the 
past at this 
facility or this 
type of facility, 
Score = 3. 





If there is no 
evidence 
that this 
adversary 
group has 
ever shown 
interest in 
this type of 
facility or 
this specific 
facility, 
Score = 1. 


If there is no 
evidence 
that this 
adversary 
group has 
conducted 
similar 
attacks in 
the past at 
this facility 
or this type 
of facility, 
Score = 1. 


If there is no 
current 
information 
that 
suggests 
interest in 
facility, 
Score = 2. 





Table 4.4 


History / Intent 


Current 
surveillance 


Documented 
threats 





Threat Analysis 


(continued) 


If current 
intelligence 
documents 
surveillance at 
specific 
facility, 

Score = 10. 


If this facility 
has received 
documented 
threats of 
attack from 
this adversary 
group, 

Score = 10. 


If current 
intelligence 
documents 
surveillance at 
other similar 
facilities in 
the U.S. or 
other types of 
facilities in 
the region, 
Score = 6. 


If this facility 
has received 
documented 
threats of 
attack but not 
from this 
particular 
adversary 
group but 
similar 
groups, 

Score = 6. 





If current 
intelligence 
does not 
involve 
specific 
facility, 
similar 
facilities in 
the U.S. or 
other types 
of facilities 
in the region, 
Score = 2. 


If this 
facility has 
not received 
documented 
threats from 
this 
adversary 
group or 
other 
adversary 
groups, 
Score = 2. 





67 


example, if total scores for a given adversary group and facility are 


estimated to be: 


e Greater than V and less than or equal to W, then threat 
potential is Low 
e Greater than W and less than or equal to X, then threat 
potential is Medium 


68 РАКТ ОМЕ 


e Greater than X and less than or equal to Y, then threat 
potential is High 

e Greater than Y and less than or equal to Z, then threat 
potential is Very High 


The values of the bounds should be predetermined for the given 
industry or type of facility and based on the expert judgment of 
the threat analyst. These values must be consistent throughout 
the analysis. The estimated threat potential parameter, though 
relative in nature, can provide valuable information to security 


Table 4.5 Relative Attractiveness of the Facility/Asset Assessment 


Relative Attractiveness As Target fT 


Consequence | If level of estimated 
consequence for attack 
is consistent with 
goals of this adversary 
group, Score = 10. 


If attacking this 
facility is consistent 
with ideology/ 
motivations of this 
adversary group, 
Score = 10. 


Ideology 


If level of 
consequence 
caused by 
attack is not 
definitely 
consistent 
with goals of 
adversary 
group, but 
possibility 
exists, 

Score = 6. 


If attacking 
this facility 
is not 
consistent 
with 
ideology/ 
motivations 
of this 
adversary 
group but 
possibility 
exists, 
Score = 6. 


If level of 
consequence 
caused by 
attack is not 
at all 
consistent 
with goals of 
this 
adversary 
group, 

Score = 2. 


If attacking 
this facility is 
not at all 
consistent 
with ideology/ 
motivations 
of this 
adversary 
group, 

Score = 2. 





Threat Analysis 69 
Table 4.5 (continued) 
Relative Attractiveness As Target Score 
Ease of If perception exists If perception | If perception 
attack that PPS is relatively | exists that exists that 


easy to defeat or 
doesn’t exist and/or 
the undesired event is 
easily accomplished at 
this facility, Score = 5. 


the PPS at 
the facility 
provides 
moderate 
protection 


and/or there 
is moderate 
difficulty in 
accomplish- 
ing the 
undesired 
event at this 


the facility 
has a robust, 
effective 
protection 
system and/or 
the undesired 
event is 
extremely 
difficult to 
accomplish at 
this facility, 
Score = 1. 


facility, 
Score = 3. 














risk managers. The parameter can be used in conjunction with 
consequence levels to prioritize facilities/assets and/or to estimate 
relative security risk level. The net result is logical guidance to 
optimize the allocation of limited security resources. 


4.5.2 Insider Threat 


Estimating the threat potential for the insider threat is proba- 
bly the most daunting task of security risk managers. The task 
is socially, politically, and legally sensitive, and it is technically 
challenging to protect against the trusted insider. Predicting what 
would make an employee decide to become an adversary is dif- 
ficult, at best. For high-risk employment positions, those which 
require significant access to sensitive or proprietary information, 
materials, products, cyber-systems, or the protection systems for 
these items, consideration of the threat potential is of paramount 
importance. 


70 РАКТ ОМЕ 


The most effective protection for an insider must occur before or 
while the employee is making the decision to become an adversary. 
Once the decision is made or the employee recruited, the insider 
may go undetected. History has shown that most spies are never 
detected or caught in the act; rather they are reported by other 
spies. A physical protection system (PPS) can make it difficult for 
the insider to do the wrong thing, but it cannot act alone to com- 
pletely mitigate the insider threat. Protection against the insider 
threat requires an integrated protection system with personnel 
screening, physical protection, cyber-protection, and operations 
security. Appendix D, “Insider Threat” discusses protection con- 
cepts for the insider threat. 

Personnel screening is the one protection function that can 
occur during the insider decision-making or pre-recruitment (by 
a malevolent group) phase. Some type of personnel screening 
should be conducted for positions judged to be high risk. Pre- 
employment screening and continuous updates should be con- 
ducted to ensure the protection function’s effectiveness. Screen- 
ing methods must be reviewed by the labor counsel and must 
respect the personal privacy of employees. Turner and Gelles 
suggest a list of characteristics that make individuals attractive 
targets for recruitment by outside malevolent groups, such as 
foreign intelligence services or terrorist groups. The characteris- 
tics that they suggest for an effective pre-employment screening 
include: 


e Alcohol or other substance abuse 

e Financial issues 

e Criminal behavior (including juvenile) 

e Workplace performance or behavior (previous) 
Compulsive or excessive gambling 


e Repeated policy violations (rules do not apply to them) 


Threat Analysis 71 


4.6 SUMMARY 


Threat analysis attempts to answer the questions: Who is the 
threat? How strong are they? What is the likelihood that they 
will decide to attack my facility? The detailed answers to these 
questions are used to design and/or evaluate the effectiveness 
of a protection system. The level of required security protection 
is dependent on the level of the potential threat. With limited 
financial resources for security systems, security risk decision 
makers must have the best threat information available and a 
logical method for prioritizing the adversarial threats to their 
facilities. This chapter has described the importance of a timely 
(current) and complete threat definition. A process for conducting 
a threat analysis was provided by offering guidance on where to 
obtain threat information, how to organize the information to make 
it usable for system effectiveness analysis, and how risk managers 
can use it to make security decisions. 


4.7 REFERENCES 


1. Biringer, Betty, “Estimating Threat Potential for Security Risk 
Analysis,” presented at American Nuclear Society Conference, 
San Francisco, CA, September 2005. 

2. Department of Homeland Security, “Threats and Protection: 
Synthesis and Dissemination of Information,” http://www.- 
dhs.gov/dhpublic/theme_home6.,jsp. 

3. FBI’s Counterterrorism Report, Since September 2001, A Report 
to the National Commission on Terrorist Attacks upon the United 
States. 

4. Garcia, Mary Lynn, The Design and Evaluation of Physical Pro- 
tection Systems, Butterworth-Heinemann, Burlington, MA, 2001. 

5. International Training Course for Nuclear Facilities and Mate- 
rials — Volume I. Determining Physical Protection System Objec- 
tives, Sandia National Laboratories and the International Atomic 
Energy Agency, 2004. 


72 


10. 


РАКТ ОМЕ 


. National Counterterrorism Center (NCTC) Knowledge-Based 


Directory, http:/www.tkb.org/Home.jsp. 

. National Security Threat List (NSTL), Federal Bureau of 
Investigation, http:/www.dss.mil/training/csg/security/T1threat 
/Nstl. htm. 


. Parker, Dr. Gerald, Mission and Goals of the Office of Science- 


Based Threat Analysis and Counterterrorism, Department of 
Homeland Security, November 2004. 


. Paulus, William K., Briefing Package, Non-nuclear Risk Assess- 


ment Methodology: Threat Assessment, Sandia National Labora- 
tories, February 2002. 

Turner, James T., PhD and Gelles, Michael G., PsyD, Threat 
Assessment: A Risk Management Approach, Haworth Press, Inc., 
Binghamton, NY, 2003. 


4.8 EXERCISES 


. List two or more uses of threat analysis in security risk analysis. 


Discuss possible ramifications if the analysis is incomplete. 


. When should a threat analysis be completed for a given facility or 


industry? For what period of time is the threat description valid? 


. Threat information can be collected from various dependable 


sources. 
a. List possible local sources 

b. List state or national sources 

c. List others (Where else might you look for threat information?) 


. Assume that you are the threat specialist and have collected data 


from every source that you can find for your facility. 

a. Discuss how you would decide which adversary groups you would 
include in the adversary spectrum to present to management. 

b. What would you do or what advice would you provide to manage- 
ment if you could find no threat information that you considered 
relevant for your facility? Specifically, what would you advise in 
the absence of threat data. Why? 


. A list of potential adversary capabilities was provided in this 


chapter. List any others that you think might be important. Based 


Threat Analysis 73 


on your judgment, rank order the top five capabilities and discuss 
why you ranked them in that order. 

. What are the challenges to estimating the likelihood of adversary 
attack? Can this estimate be quantified? Why or why not? 

. The insider threat poses a great challenge to a protection system. 
Why is protection for the insider threat so important? 

. The design threat is the term used for the site-specific threat spec- 
trum that management decides to employ to design the security 
system for that facility. The level of protection will be established 
by this specific spectrum. Discuss the differences in level of pro- 
tection for a security system that is designed to meet a full threat 
spectrum (terrorists, criminals, extremists, vandals, insiders) ver- 
sus a security system that is designed to meet criminal and vandal 
adversary groups. 


Сһарїег 5 


Consequence Analysis 


5.1 INTRODUCTION 


In Chapter 3, “Facility Characterization,” the identification of the 
undesired events and the critical assets that must be protected 
to prevent the undesired events was discussed. The purpose of 
consequence analysis is to estimate consequence values for each 
undesired event for a given facility. The consequence values are 
later used to estimate relative security risk. The basic process to 
complete consequence analysis is: 


e Determination of a reference table of consequences 
e Estimation of consequence values for undesired events 


5.2 REFERENCE TABLE OF CONSEQUENCES 


In order to establish a standard for discussing the consequences 
associated with a specific undesired event, a reference table of 
consequences is developed. The table is populated by the security 
analysis team and technical experts for final approval by manage- 
ment. The contents of the table should remain constant throughout 
the analysis. If a comparison or relative ranking of facilities is to 
be completed, the same reference consequence table must be used 
to estimate consequence values at each facility being compared. 


Security Risk Assessment and Management: A Professional Practice Guide for Protecting Buildings and Infrastructures 
B. E. Biringer, R. V. Matalucci and S. L. O’Connor © 2007 John Wiley & Sons, Inc. ISBN: 978-0-471-79352-6 


75 


76 РАКТ ОМЕ 


The first components of the reference table of consequences 
are the criteria for describing consequence. Criteria may be site-, 
organization-, or industry-specific. Measurable, rather than sub- 
jective, criteria should be used. Common criteria or units of 
consequence include: 


e Deaths 

e Economic loss (to owner) 

e Economic loss (to customer) 

e Loss of operations or production 
e Loss of public confidence 

e Loss of asset(s) 

e Downtime 

e Geographic impact 

e Population at risk 


The next step is to establish definitions for qualitative values of 
each consequence criterion. As many levels of consequence severity 
can be used as can be discretely defined. For example, assume 
that loss of production is a selected criterion. Consequence value 
definitions for this criterion might look like: 


Undesired Consequence | High Medium Low 
Event Criteria 
Loss of Future Severe | Moderate | Low 
Production | contracts 
Capability 
Duration >2 1-2 <1 
Үеагѕ Үеагѕ Үеаг 
Есопотіс >$5 $1-$5 < $1 
Loss million | million million 














Consequence Analysis 77 


Table 5.1 DoD Military Standard 882D 


Consequence Category Consequence Level 


Could result in death, permanent total dis- Catastrophic 
ability, loss exceeding $1M, or irreversible 

severe environmental damage that violates 

law or regulation. 


Could result in permanent partial disabil- Critical 
ity, injuries, or occupational illness that may 

result in hospitalization of at least three per- 

sonnel, loss exceeding $200 K but less than 

$1M, or reversible environmental damage 

causing a violation of law or regulation. 


Could result in injury or occupational illness Marginal 
resulting in one or more lost workday(s), loss 

exceeding $10 K but less than $200 K, or 

mitigatible environmental damage without 

violation of law or regulation, where restora- 

tion activities can be accomplished. 


Could result in injury or illness not resulting Negligible 
in a lost workday, loss exceeding $2 K but 

less than $10 K, or minimal environmental 

damage not violating law or regulation. 








Table 5.1 repeats Table 1.1 from “Chapter 1, Security Risk Assess- 
ment,” which provides the Department of Defense Military Stan- 
dard 882D for consequences that can be used as a start for a 
reference table of consequences. Table 5.2 shows a hypothetical 
example of a reference table of consequences. 


5.3 CONSEQUENCE VALUES FOR UNDESIRED 
EVENTS 


Once the reference table for consequences has been determined, 
each undesired event that was identified in the facility char- 
acterization step is analyzed for the consequence severity that 


78 РАКТ ОМЕ 


ТаЫе 5.2 Hypothetical Example of Reference Table of Consequences 
Measure of High Medium Low 
Consequence 
Economic loss > $5M $1-5М < $1M 
(property loss + 
revenue) 

Economic loss > $5M $1-5М < $1M 
б 


De ooo National Regional po 
a 


ЕШ Outage > Outage > 
1 week 1 day but < 
1 week 


would result if the undesired event did in fact occur. Criteria and 





definitions in the reference table of consequences are used to esti- 
mate the consequence severity. If more than one criterion is used 
to describe consequence, each criterion is evaluated and then the 
highest consequence value is selected to estimate the consequences 
of the undesired event. 

Table 5.38 shows an example of estimating consequences for 
undesired events. Consequences are estimated by the analysis 
team with input from technical experts. The safety analysis team 
may be able to support this consequence estimating effort. How- 
ever, a caution is that if credit is attributed to safety features to 
reduce the consequences of an event, there must be confidence that 
the safety features would survive a malevolent attack. In other 
words, the adversary may plan to defeat the safety features as 
part of the malevolent attack on the facility in order to maximize 
consequences. 


Consequence Analysis 


Table 5.3 Consequence Value Estimation Example 


Undesired Event 


Disruption of Oper- 
ations (sabotage of 
vital equipment by 
cyber-attack) 


Theft of Valuable 
Asset(s) (precious 
metals) 


79 























Measure of Consequence | Consequence Severity 
Type Value | By Type |By Event 
H/M/L | H/M/L 
Economic loss|$3M |M 
(property loss + 
revenue) 
Economic __loss/0 L 
(users) 
Deaths 0 L 
Geographic Local |L 
impact 
Public confidence |6 H 
months 
Enter H 
highest 
consequence 
Economic loss|\$1M |M 
(property loss + 
revenue) 
Economic 1озв|0 L 
(users) 
Deaths 0 L 
Geographic Local |L 
impact 
Public confidence| 1 day |L 
Enter M 
highest 
consequence 











(continued overleaf) 


80 


Table 5.3 
Undesired Event 


Crimes Against 
People (hostage 
situation) 


Destruction of 
Building (vehicle 
bomb) 


PART ONE 


(continued) 


Measure of Consequence | Consequence Severity 


Economic loss 
(property loss + 
revenue) 


By Type 
H/M/L 


By Event 
H/M/L 





Economic loss 


(users) 


Deaths 





Geographic 
impact 


Public confidence | None 


0 
0-1 
Local 





Economic loss 
(property loss + 
revenue) 


Enter 
highest 
consequence 





Economic loss 
(users) 


Deaths 





Geographic 
impact 


Public confidence|6 H 
months 


Enter 
highest 
consequence 








$7M Н 
0 L 
10-20 |H 
Local |L 


Other important issues in estimating consequences are keeping 
the criteria and definitions constant during the analysis and doc- 
umenting of any assumptions made in estimating consequence 


severity. 


Examples of assumptions might be whether or not 


Consequence Analysis 81 


hardware replacement costs are included in the estimates or if 
the “domino effect” is included if other facilities could be affected 
by the attack or if contingency operations during recovery are 
included or not. Consequences may be scenario-dependent. To be 
security conservative, extreme (most severe) conditions should be 
used as “bounding” measures. 


5.4 SUMMARY 


The products of a Consequence Analysis are a site-specific reference 
table of consequences and relative consequence values for unde- 
sired events. Consequence values will be used together with threat 
and protection system effectiveness values to estimate relative 
security risk for the list of undesired events. 


5.5 REFERENCES 


1. Biringer, Betty, “Risk Assessment Method for Electric Power 
Transmission,” presented at Carnahan Conference on Security 
Technology, sponsored by IEEE, Albuquerque, NM, October 2004. 

2. MIL-STD-882D, “Department of Defense Standard Practice for 
System Safety,” February 10, 2000. 


5.6 EXERCISES 


1. Why should the reference table of consequences be site/organization 
/industry specific? 

2. Assume you have a multistory office building that houses six 
different companies, including one government organization. List 
the possible consequence criteria. 

3. What are the limitations of having more than three severity levels 
for consequence criteria (normally high, medium, and low)? 

4. Discuss the makeup and expertise of the team required to complete 
consequence analysis. 

5. What are some important assumptions that might affect the con- 
sequence analysis outcome? 


Сһарїег 6 


Asset Prioritization 


6.1 INTRODUCTION 


At this point in the security risk assessment process, the threat 
parameter and the consequence parameter have been estimated. 
Corporations or organizations that own many facilities may be 
faced with the dilemma of limited resources — time and or money — 
to complete risk assessments for all of their assets. The threat 
parameter together with the consequence parameter can be used 
to prioritize or order assets in a given facility or building in terms 
of which might be at the highest risk so that owners can address 
them first. Many corporations do not require a prioritization step, 
but for other corporations, prioritization is especially valuable. 
This prioritization scheme was used as a higher-level “screening” 
process to prioritize facilities. For example, in the year 2000, 
federal dam owners in the United States began to do security risk 
assessments for their dams. After September 11, 2001, there was 
an urgency to complete the assessments as quickly as possible 
and to address the most critical dams first. With more than 75,000 
federal dams in this country, the prioritization scheme presented in 
this chapter helped owners decide which dams to analyze first and 
further helped owners schedule the assessments for the remainder 
of their dams in the years following. 


Security Risk Assessment and Management: A Professional Practice Guide for Protecting Buildings and Infrastructures 
B. E. Biringer, R. V. Matalucci and S. L. O’Connor © 2007 John Wiley & Sons, Inc. ISBN: 978-0-471-79352-6 


83 


84 РАКТ ОМЕ 


6.2 PRIORITIZATION MATRIX 


The prioritization matrix is constructed by plotting the ordered 
pairs of threat potential (likelihood of attack) vs. consequence 
(of successful attack) for assets for the most critical site-specific 
adversary group. The matrix can be used to prioritize either a 
number of different undesired events for a given facility or to 
prioritize different facilities. 

Figure 6.1 provides an example prioritization matrix for unde- 
sired events at an example facility. Note that the shaded area of 
the matrix highlights those undesired events/assets with medium 
or higher values for both threat potential and consequence. Figure 
6.2 provides an example of a prioritization for buildings owned by 
a corporation. 

The interpretation of the prioritization matrix for planning 
purposes is an exercise for the analysis team and the risk man- 
agers. Obviously, the assets shown in the upper-right corner of 
the matrix pose the highest risk because they have the high- 
est likelihood of being attacked and the highest consequences if 
the attack is successful. The matrix should be used to schedule 
security risk assessments for the given time and money resource 
constraints. The order in which the assessments are done must 


























H Loss of 
mission 
Loss of 
см facility 
Hostage 
L Vandalism 
Embarrassment 
L M H 
Pa 


Figure 6.1 Prioritization Matrix Example for 
Undesired Events/Assets at a Facility. 


Asset Prioritization 85 


























А Соорег 
H Ranger Site Building 
Bay Building 
см Edge Site 
L Mason Site Phillips 
Terp Building Building 
L M H 
Pa 


Figure 6.2 Prioritization Matrix Example for 
Sites. 


address site-specific conditions. The prioritization matrix should 
not be used to eliminate some assets from undergoing a security 
risk assessment. 


6.3 SUMMARY 


The security risk equation threat parameter together with the 
consequence parameter for a given asset can be used to prioritize 
assets. Assets with Medium or higher likelihood of attack and con- 
sequence value can be identified. Security risk managers can use 
this information to order assets for a full security risk assessment. 
The prioritization step is optional. Some owners only have a few 
assets and can easily complete security risk assessments for all of 
them, while others have numerous facilities and cannot complete 
risk assessments at all of them in a timely manner. Prioritization 
helps these owners decide which assets to address first. 


6.4 REFERENCES 


1. Biringer, Betty, “Risk Assessment Method for Electric Power 
Transmission,” presented at Carnahan Conference on Security 
Technology, sponsored by IEEE, Albuquerque, NM, October 2004. 

2. “Understanding Risk in a Changing World,” Short Course taught 
at Society of Women Engineers National Conference, October 16, 
2004, Milwaukee, WI. 


РАКТ ОМЕ 


6.5 EXERCISES 


Assume a corporation has completed threat and consequence anal- 
ysis for malevolent attacks at its seven buildings. The results are 
tabulated below. 


Building Likelihood of Attack 





1. Construct the prioritization matrix: 


L M H 


Pa 


2. Suggest the order for security risk assessments to be completed 


for the buildings if the owner has three years to complete the 
assessments and has the resources to do two or three per year. 
Provide reasons for your ordering and note any assumptions that 
you made. 


3. What are some other events, factors, or conditions that might alter 


the assessment schedule? 


4. How does prioritization of assets compare to the screening analysis 


discussed in Chapter 2? When would you use screening? When 
would you use asset prioritization? 


Сһарїег 7 


System Effectiveness 


7.1. INTRODUCTION 


The purpose of system effectiveness assessment is twofold: 


1. Estimation of protection system effectiveness 
2. Identification of site-specific vulnerabilities 


System effectiveness assessment begins with a review of the infor- 
mation derived in facility characterization and threat analysis 
discussed in previous chapters. The specific required information 
includes: 


e Site-specific fault tree 

e PPS description 

e Cyber-protection system description 
e System protection objectives 

e Threat description 


In estimating protection system effectiveness, a systematic appro- 
ach is used to answer the basic question, “To what level does 
the protection system meet the required protection objectives for 
the given adversarial threat?” The desired situation is when the 
answer to the question is High or Very High. When the answer is 
Medium or lower, the next question is “What makes the system 


Security Risk Assessment and Management: A Professional Practice Guide for Protecting Buildings and Infrastructures 
B. E. Biringer, R. V. Matalucci and S. L. O’Connor © 2007 John Wiley & Sons, Inc. ISBN: 978-0-471-79352-6 


87 


88 РАКТ ОМЕ 


protection effectiveness Medium or Low?” The weaknesses or gaps 
in protection that result in the lower effectiveness level represent 
site-specific vulnerabilities. 


7.2 PROTECTION SYSTEM EFFECTIVENESS 


A systematic approach to estimate protection system effectiveness 
is used. The steps include: 


e Identification of adversary strategies 
e Assessment of PPS effectiveness 
e Assessment of cyber-protection system effectiveness 


7.2.1 Adversary Strategies 


Adversary strategies to accomplish undesired events at a site are 
outlined in the site-specific fault tree, which is why it is suggested 
that once the generic tree is made site-specific, the tree should be 
adequately protected. In an attempt to “bound” the problem, it is 
advantageous to use the most-vulnerable strategy for the analysis. 
The most-vulnerable strategy is defined as the strategy that pro- 
vides the greatest advantage to the adversary to accomplish the 
undesired event. Selection of the most-vulnerable strategy is made 
by using expert (team) opinion based on knowledge of the site, the 
operations, the information systems (process control and SCADA), 
and the existing physical and cyber-protection system features. 
Both physical and cyber-strategies should be considered for each 
undesired event. 

The most-vulnerable strategy to accomplish an undesired event 
must be identified first. Several factors must be considered in 
judging which strategy might be (relatively) the most-vulnerable: 


e Protection system weaknesses noted during facility charac- 
terization 
— Least-protected physical system features (detection, delay, 
response) 


System Effectiveness 89 


— Least-protected cyber-protection features (authentication, 
authorization, audit) 


Easiest system features to defeat 

e High consequence results 

Facility operating states that the adversary could use to an 
advantage 


— Emergency conditions 

— Above normal operating level 
— No personnel on-site 
Inclement weather 


Loss of power source(s), communications, or other support 


infrastructure 


If the decision of which strategy among others is “most-vulnerable” 
is too difficult to make, more strategies should be addressed for the 
undesired event. As many strategies as needed should be developed 
to provide confidence in the judgment. If both physical and cyber- 
attacks are possible for a given undesired event, the analysis 
should be completed and reported for both types of attacks. 

For demonstration purposes, assume a priority undesired event 
is the loss of mission. From the fault tree, disruption of building 
mission can be accomplished by disrupting normal work operations, 
compromising the structural integrity of the building, compromis- 
ing the health and safety of occupants, the disablement or misuse of 
utilities, the disablement or misuse of the HVAC, or disablement 
or misuse of emergency systems. For demonstration purposes, 
assume that the information gathered in facility characterization 
leads the analysis team to judge that disrupting work operations by 
destroying or manipulating the information system would be the 
adversary strategy of choice. Specifically, assume that based on rel- 
ative level of consequence, known protection system weaknesses, 
and ease of adversary attack, the team decides that the most- 
vulnerable strategy to cause loss of mission is to disrupt normal 
work operations by an attack on the information system. 


90 РАКТ ОМЕ 


7.2.1.1 Critical Assets for Strategies 


Once the most-vulnerable strategy(ies) for an undesired event is 
defined, the next step is to document the critical asset(s) associ- 
ated with the strategy. Protection of these critical assets will be 
the focus of the analysis. Both physical and cyber-attack options 
should be considered for each critical asset. In the above example, 
assume that the critical assets would be the computer equipment 
in the control room (for a physical attack) and the electronic com- 
munications to the process control equipment for the information 
system (for a cyber-attack). 

In the next section, construction of an adversary sequence 
diagram (ASD) for each critical asset (associated with the most- 
vulnerable strategy) will be discussed. 


7.2.2 Physical Protection System Effectiveness 


In this section, a systematic method developed and used extensively 
by SNL for estimating PPS effectiveness will be demonstrated. 
For more than 20 years, the basic method has been applied to 
numerous types of PPSs. Several tasks will be described to assess 
PPS effectiveness: 


e Development of an ASD for each critical asset 

e Association of detection and delay values for each element 
of the ASD 

e Selection of the most-vulnerable scenario 

e Assessment of PPS effectiveness for the most-vulnerable 
scenario for the given threat 


7.2.2.1 Adversary Sequence Diagram 


An ASD will be constructed for each critical asset included in the 
strategy. The ASDs will be used to model adversary paths to the 
critical asset, to derive the most-vulnerable adversary scenarios, 
and later, to support the risk reduction (system upgrade) function. 


System Effectiveness 91 


The ASD models the PPS at a facility. It identifies paths that 
adversaries can follow to accomplish the undesired event. An ASD 
can be used to model all possible adversary paths through a facility. 
ASDs for buildings may only have one or two layers of protection, 
but they are helpful tools. They help prevent overlooking pos- 
sible adversary paths and, when considering protection system 
upgrades, ASDs help in the selection of upgrades that affect the 
largest number of adversary paths and can help to ensure that 
all adversary paths are addressed. For example, suppose that the 
undesired event is to interrupt or disrupt the information sys- 
tem by attacking the control system operations. Figure 7.1 shows 
a sample building with two representative physical paths that 
adversaries might take to damage or sabotage the controls (criti- 
cal asset) inside the control room. Cyber-attack scenarios will be 
addressed in the next section. 

There are three basic steps in creating an ASD for a specific 
building. These include: 


1. Model the facility by separating it into adjacent physical 
areas. 

2. Define the system features between the adjacent areas. 

3. Construct the ASD. 


Property Area 


Building Interior 


Control Room 


Critical Asset 





Figure 7.1 Possible Adversary Paths. 


92 РАКТ ОМЕ 


Property Area 


Building Interior 


Control 
Room 
i 


Critical Asset 





Figure 7.2 Basic Areas at 
the Example Building. 





OffSite 
Property Area 
Building Interior 
Control Room 
Critical Asset 























Figure 7.3. Adjacent 
Physical Areas for the 
Example Building. 


7.2.2.2 Physical Areas 


The ASD models a facility by separating it into adjacent physical 
areas. Figure 7.2 is a facility sketch of the example building. 

Figure 7.3 describes the adjacent physical areas of the example 
building. The ASD represents areas by rectangles. 


7.2.2.3 Path Elements and Protection System Features 


The ASD models a PPS by identifying protection layers between 
the adjacent areas (see Figure 7.4). 

Each protection layer consists of a number of system features. 
The types of system features used in an ASD include: 


e DOOR — Doorway 
e DUCT — Duct 


System Effectiveness 


OffSite 








Property Area 








Po 


Building Interior 





Path Elements — 





Control Room 

















Critical Asset 


Figure 7.4 Path Elements between 


Adjacent Areas. 


e FENCE – Fence line 


e GATE — Gateway (could be pedestrian or vehicle) 
e TASK — Task at critical asset 


93 


e PORTAL - Series of two barriers with area between (could 


be gates or doors) 


e SURFACE — Could be wall, roof, floor 


e TUNNEL 
e WINDOW 


The basic ASD as it has been developed so far is given in Figure 7.5. 
The adversary attempts to sequentially defeat a feature in each 
protection layer as he traverses a path through the facility to the 
critical asset. The ASD represents all of the realistic physical paths 
that an adversary might take to reach a critical asset. For sabotage 





Off Site 





























I I 





І 
Property Area 


Protection 





Building Interior 


Layer 











oC) 


Ss e System Feature 





Control Room 


Critical Asset's 








______-. === 


Location 








Critical Asset 








Figure 7.5 ASD Concept. 


94 РАКТ ОМЕ 


analysis, only the entry paths would be evaluated, and the system 
features would be assumed to be traversed in only one direction. 
For theft analysis, the ASD shown should be considered to be 
traversed twice — on entry to the critical asset and on exit from the 
critical asset. Appendix B provides further information on special 
cases that might be encountered while developing ASDs. 


7.2.2.4 Detection and Delay Features 


During facility characterization, physical protection features were 
described, located, and any weaknesses in installation, mainte- 
nance, or testing were noted. The next step in analysis is to 
associate these physical protection features with the path ele- 
ments of the ASD. Specifically, detection and delay features of 
the PPS that are associated with each path element should be 
annotated. For example: 


Identification | Path Detection Delay Features 
Element | Features 


Personnel door | DOOR | Door switch sensor | Electronic lock 


to Control Magnetic stripe controlled by 
Room card reader card reader 


No assessment Solid wood door 





Detection (with assessment) is the discovery of adversary action 
and includes sensing covert or overt actions. In order to discover an 
adversarial action, a sensor (either equipment or personnel) must 
react to an abnormal occurrence and initiate an alarm. Assessment 
is necessary for effective detection. The information from the sensor 
and assessment subsystem must be reported and displayed so that 
someone can ultimately assess the information and determine if 
the alarm is valid (adversary) or invalid (false alarm or nuisance 
alarm). 


System Effectiveness 95 


Methods of detection include a wide range of technologies and 
personnel. Interior sensors can be active or passive (active sensors 
employ both a transmitter and receiver; passive sensors use only 
a receiver to sense an intrusion), covert or visible, volumetric or 
line detection and can be applied to detect boundary penetration, 
interior motion, or proximity to a critical asset. Exterior sensors can 
be passive or active, covert or visible, line-of-sight or line detection 
and can be buried line, fence-associated, or freestanding. Security 
personnel at fixed posts or on patrol serve a vital role in detection 
of an intrusion. Personnel can contribute to detection if they are 
trained in security concerns and have a means to alert authorities 
in the event of a problem. Assessment can be achieved by a video 
system displayed at an alarm station or by human observers. 
Entry control systems allow entry/exit of authorized persons and 
material, prevent the entry of unauthorized persons, weapons, 
explosives, or other contraband, and prevent the unauthorized exit 
of valuable or protected assets. Mary Lynn Garcia, in Vulnerability 
of Physical Protection Systems, describes sensors and components 
in detail, as well as discusses vulnerability testing for a spectrum 
of detection equipment. 

Entry control, in that it includes locks, may also be considered 
a delay factor in some cases. Entry control to various layers of the 
system should be designed to filter and reduce population that has 
access to the critical asset. Only those who need direct access to 
the critical asset should be allowed through the final entry control 
point. Searching for contraband, such as metal (possible weapons 
or tools) and explosives (possible bombs or breaching charges), 
is required for high-security areas. This may be accomplished 
by using metal detectors, x-raying (for packages), and explosive 
detectors. Personnel also can accomplish contraband detection 
through physical package searches. 

Delay is any physical protection feature that impedes adversary 
progress. Delay can be incurred by fixed barriers (e.g., doors, 


96 РАКТ ОМЕ 


vaults, locks). Personnel can be considered an element of delay 
if they can cause the adversary to be delayed in any way. The 
time to defeat an obstacle will be dependent on the adversary’s 
capabilities. For example, if the adversary only has a small amount 
of explosives available, and the delay feature requires a large 
amount to damage/destroy the barrier, the system will be effective. 
Note the importance of the detection function in the application 
of delay. If the adversary can make repeated attempts on a delay 
feature without intervention, they will eventually defeat the delay 
element. It is imperative that delay be preceded by a reasonable 
likelihood of detection earlier in the adversary path. 


7.2.2.5  Most-Vulnerable Scenario 


The most-vulnerable scenario is an expansion and refinement 
statement of the most-vulnerable adversary strategy derived ear- 
lier in the analysis. The scenario defines the actual path elements 
that the adversary would traverse and the tactics that he or she 
would use to reach the critical asset and cause the undesired event. 
Using the list of path elements annotated with detection and delay 
features, the analysis team, using expert opinion, should select the 
path that would optimize the success likelihood for the adversary. 
Feature weaknesses and gaps, site operating conditions, and pos- 
sible adversary defeat methods and tactics should be considered 
in the selection. The most-vulnerable scenario will be used in the 
next section to estimate the PPS’s effectiveness. Software tools 
like Estimate of Adversary Sequence Interruption (EASI), System- 
atic Assessment of Vulnerability to Intrusion (SAVI), and Analytic 
System and Software for Evaluating Safeguards and Security 
(ASSESS) have been used to derive the most-vulnerable adversary 
scenario at facilities. 

For the example facility, a most-vulnerable scenario for a phys- 
ical attack might be: Adversary enters the building through the 
personnel doors that are unlocked during normal working hours, 


System Effectiveness 97 


traverses the building interior to the control room. When control 
room is unoccupied, adversary forces control room door open, sets 
explosives/timer on computer equipment, and exits. The corre- 
sponding path elements from the ASD include: 


e DOOR - Personnel entrance to building 
e AREA — Building Interior — traversal 

e DOOR — Control Room door 

e AREA — Control Room — traversal 

e TASK - Set explosives/timer 


7.2.2.6 Estimating Physical Protection System Effectiveness 


PPS effectiveness is the measure of the ability of the PPS to meet 
its specified protection objectives, to prevent the specified unde- 
sired events. The most-vulnerable scenario and associated system 
features developed in the previous discussions will be used to esti- 
mate protection system effectiveness for each undesired event. The 
assumption of the analysis process is that the effectiveness of the 
PPS is only as good as the protection that it provides against 
the most-vulnerable scenario. 

An effective PPS must be able to detect the adversary early, delay 
the adversary long enough for the security response force to arrive, 
and neutralize the adversary before the undesired event is accom- 
plished. In particular, an effective protection system demonstrates 
effective detection, delay, and response. These physical protection 
functions (detection, delay, and response) must be integrated to 
ensure that the adversarial threat is neutralized before their mis- 
sion is accomplished. Detection is the sensing of an adversarial 
action and the assessment that it is a valid alarm; delay is any 
protection feature that impedes the adversary’s progress; response 
comprises actions taken by the security police force (police force 
or law enforcement officers) to prevent adversarial success. The 
security response must be notified in a timely and reliable manner, 


98 РАКТ ОМЕ 











Adversary Task Time 


System Delay 
PPS Time Required 






































Detect “| Response |; 























Begin Т, Ta T, Те - Task 


Асїїоп (First Complete 
Alarm) 


тїте _——————р› 
Figure 7.6 Interrelationships of PPS Functions. 


must arrive in time, and must be physically capable of neutralizing 
the adversarial action before the undesired event is achieved. 
Relationships of PPS Functions — The diagram below (see 
Figure 7.6) shows the relationships between the adversary’s task 
time and the time required for the PPS to do its job. The total 
time required for the adversaries to accomplish their goal has 
been labeled Adversary Task Time; it is dependent upon the delay 
provided by the PPS. The adversary may begin the task at some 
time before the first alarm occurs (To). The adversary task time 
is shown before To because delay is not effective before detection. 
After the alarm, the information must be reported and assessed 
to determine if the alarm is valid. The time at which the alarm 
is assessed to be valid is T4, and at this time, the location of the 
alarm must be communicated to the members of the response force. 
Further time is then required for the response force to respond in 
adequate numbers and with adequate equipment to interrupt the 
adversarial actions. The time at which the response force interrupts 
the adversary is 77, and adversary task time completion is To. For 
the PPS to accomplish its objective, Ty must occur before Te. From 
this diagram, it is obvious that a PPS performs better if detection 


System Effectiveness 99 


is as early in the timeline as possible and delay elements are near 
the critical asset and location. 

System effectiveness analysis can be performed by simply check- 
ing for required features of a protection system, such as intrusion 
detection, entry control, access delay, response communications, 
and a response force. However, a protection system based on 
required features cannot be expected to lead to a high-performance 
system unless those features, when implemented together, are 
sufficient to ensure adequate levels of protection. Sophisticated 
analysis and evaluation techniques can be used to estimate the 
minimum performance levels achieved by a protection system. 
Computer codes such as EASI, SAVI, ASSESS and Joint Com- 
bat and Tactical Simulation (JCATS) can be used to estimate a 
protection system’s effectiveness. For applications here, protec- 
tion system effectiveness schemes will be discussed for a simple 
protection system and a more complex system. 


7.2.2.7 Simple Physical Protection System 


A simple protection system can be briefly described as a protection 
system with a small number of protection features and only a small 
number of path elements to protect against adversarial actions. In 
most cases for a simple system, judgment of system effectiveness 
can be made by inspection. If one or more of the physical protection 
functions (detection, delay or response) are absent, lacking, or 
judged to be grossly ineffective, system effectiveness is low. Because 
all three functions are required, the generalization is that the 
protection system is only as good as the weakest link. For example: 


Door switch Hardened doors None: No arrangements 


sensors and walls made with local law 
enforcement 





100 РАКТ ОМЕ 


Magnetic swipe | Electronic locks 
card reader 


No assessment | Moderate area 
traversal time 


Low Medium Low effectiveness 
effectiveness effectiveness 





Minimum of Detection, Delay, and Response: Low effectiveness 


Protection system effectiveness would be estimated at Low effec- 
tiveness by selecting the minimum level of effectiveness for the 
protection functions of detection, delay, and response. 


7.2.2.8 Complex Physical Protection System 


If the PPS is more complex (i.e., there are various protection 
features for each system function), it may be more difficult to 
judge if the features demonstrate a high level of performance for 
detection, delay, and response features and whether or not the 
system would be expected to detect the adversary early enough, 
provide enough delay time to ensure that the response could arrive 
and then neutralize the adversarial action before the undesired 
event was achieved. In the absence of software tools to estimate 
a likelihood of adversary interruption before achievement of the 
undesired event, a first-order tool will be discussed to provide a 
qualitative estimate of protection system effectiveness. Consider a 
more complex facility and PPS shown in Figure 7.7. 

Layer 1 of path elements between Off Site and the Property 
Area would include the GATE (pedestrian), the FENCE, and the 
GATE (vehicle); Layer 2 of path elements between the Property 
Area and the Building Interior would include DOOR (either one 
of two personnel doors), the SURFACE (walls, roof, floor), and the 


System Effectiveness 101 


OffSite 
ж 


№ ж Ж 





ж 
Ргорепу Агеа 
ЕЕМСЕ perty 


GATE 
x 


Building Interior 





Control Room 


GATE 
Asset 














A 
SURFACE 








х = ~ = ж 


Figure 7.7 Example Facility with 
Complex Protection System. 





DOOR (vehicle); Layer 3 of path elements between the Building 
Interior and the Control Room would include SURFACE (walls, 
ceiling, floor), or the DOOR (personnel). Note that if path elements 
have identical protection features, they can be modeled once on the 
ASD. For example, if all personnel doors into the building have the 
same construction, locks, sensors, and assessment, only one DOOR 
will appear on the ASD. The corresponding ASD might look like 
Figure 7.8. 


OffSite 
САТЕ | [FENCE] | GATE) 
Property Area 
[poor] | SURFACE [DOOR | 
Building Interior 
[SURFACE] DOOR 
Control Room 
CTASK) 
Control Е 
Figure 7.8 ASD for Example Facility with 
Complex Protection System. 


102 РАКТ ОМЕ 


A table can be constructed of the path elements for the ASD that 
is annotated with detection and delay features. See Table 7.1. The 
analysis team can use this table together with other information 
collected during facility characterization and expert judgment to 
derive a most-vulnerable adversary scenario. 

The path elements listed on the rightmost column are those 
judged by the team to be associated with the most-vulnerable path 
for a specific adversary. The next step is to assess if the protec- 
tion features associated with these path elements could perform 
together to accomplish the protection objective of preventing the 
loss of the information system by a physical attack. One of the 
sophisticated software tools would estimate a probability of inter- 
rupting the adversary using a path algorithm that would address 
different adversary tactics and tools. 

The basic task is to estimate whether or not the adversary 
would be expected to be interrupted before the undesired event 
was achieved. For our purposes here, a crude time line is created 
for the adversary to complete the scenario judged by the team 
to be most-vulnerable. The adversary task time is accumulated 
from the path element that is judged to have a detection level of 
Medium or higher up to and including the task to accomplish the 
undesired event. Then the adversary task time is compared to the 
response force time. If the adversary task time (after detection has 
occurred) is shorter than the response force time, the adversary is 
not expected to be interrupted before the undesired event occurs; 
if the adversary task time is significantly longer than the response 
force time, interruption should occur. 

“Appendix C, System Effectiveness Worksheets” contains work- 
sheets for path elements to estimate relative/qualitative values 
of detection for a spectrum of detection features and delay time 
estimates for various barriers and traversal times, assuming a 
moderate adversarial threat with basic hand and power tools and 


System Effectiveness 103 


Table 7.1 Detection and Delay Features for Path Elements for Example 


Path Detection Delay Selected 
Element Path 
Element 
Vehicle Gate | No features Normally Pedestrian 
locked Gate 
Wrought iron 
gate 


Fence No features 5 ft wrought 
iron 


Pedestrian No features Always open 

Gate 

Area: Traversal Distance — 100 ft Property 
Area 


Vehicle Door | No features Metal roll up Pedestrian 


door Door 
Locked off 


hours 


Layer 1 





Surface Personnel Reinforced 
during working | block 
hours walls 


Layer 2 


Pedestrian Receptionist Tempered 

Door during glass door 
working hours’ | Key locked 
Door alarmed off hours 


off hours 


Area: Traversal Distance — 50 ft Building 
Interior 


Surface Control room Framed Control 
(control manned 24/7 sheetrock Room 
room) walls Door 








104 


РАКТ ОМЕ 





ТаЫе 7.1 (continued) 
Path Detection Selected 
Element Path 
Element 
| Door Badger reader | Hollow-core 
Е Door switch metal 
3 alarm door 
= 
Control room Electromag- 
personnel 24/7 | netic 
stripe lock 
Area: Traversal Distance — 5 | | Control 
| ee 
Task Control room No delay Task 
manned 24/7 features 








explosives. The process is to complete worksheets to estimate detec- 
tion level and delay time for each path element and area of the 
most-vulnerable scenario. Then the results can be summarized to 
assess whether or not the adversary would be expected to be inter- 
rupted and the undesired event prevented. Table 7.2 summarizes 
the results for the example’s most-vulnerable scenario. Note that 
adversary delay time does not accumulate until after a Medium or 
higher level of detection. The derivation of these example results 
is also included in Appendix C. 


7.2.2.9 Physical Protection Vulnerabilities 


In summary, the effectiveness of the PPS is judged to be at the 
Low level for the given adversarial threat. Further, each Low level 
assessment for path elements indicates weakness that leads to 
a specific vulnerability. The specific weakness or deficiency that 
drives the judgment to be Low instead of Medium or High is a 
site-specific vulnerability. 





System Effectiveness 105 


Table 7.2. Summary Assessment Results for Example Scenario 


Path Elements for Most | Detection Level| Delay Time (seconds) 
Vulnerable Scenario 


Gate (pedestrian) 


њи | о 
Building Interior Area _____ __ = ___ 
Control Room Area 0 
Delay Time after Detection 
Response Time 


Estimated System Effectiveness Level System Effectiveness: Low 
A < B, System Effectiveness = Low 
A ~ B, System Effectiveness = Medium 
A > B, System Effectiveness = High 








For the example, the pedestrian gate on the perimeter is judged 
to be Low detection effectiveness because there are no detection 
features to detect an intruder during working hours or off hours. 
The site-specific vulnerability in the PPS at the gate is the lack 
of detection features. There are no access controls, contraband 
detection, or intrusion detection features. 

Identification of specific vulnerabilities is important for contin- 
gency planning and for system upgrades to reduce security risk. 
For contingency planning, during heightened threat conditions, 
additional security features can be implemented, even temporar- 
ily (if not affordable permanently) to protect the facility. In order 
to reduce risk, the first approach is to increase protection sys- 
tem effectiveness. Addressing the site-specific vulnerabilities will 


106 РАКТ ОМЕ 


increase protection system effectiveness, and so, reduce relative 
security risk. 


7.2.3 Cyber-Protection System Effectiveness 


Some critical assets may be susceptible to malevolent attack by a 
physical and cyber-attack or maybe just a cyber-attack. This section 
will discuss another first-order method to assess the effective- 
ness of the cyber-protection system for a given critical asset. The 
basic protection objective for cyber-protection systems is to protect 
information and information systems. Specifically, the protection 
objective is to preserve the following three properties for data: 


e Confidentiality 
e Integrity 
e Availability 


Confidentiality requires that information not be made available 
to unauthorized individuals, entities, or processes. Confidential- 
ity requirements vary greatly, depending upon the category of 
information. There are no confidentiality concerns for nonsensitive 
information, but there are stringent needs for maintaining the con- 
fidentiality of highly sensitive information — for example, critical 
process control assets or control communications. 

Integrity requires that information not be altered or destroyed 
in an unauthorized manner. Although integrity concerns can vary 
with the information in question, there is a need to preserve the 
integrity of nearly all information; otherwise, there would be no 
value in maintaining the information. In the case of mission- 
critical information or information affecting safety, the level of 
concern regarding integrity can be quite high. 

Availability requires that information be accessible and usable 
on demand by an authorized entity. The level of concern regarding 
availability can vary greatly, depending upon the information 


System Effectiveness 107 


and the uses to which it is put, and costs of implementation 
and operations generally increase as availability requirements 
increase. In the case of some mission-critical applications, it may 
be necessary and prudent to build redundancy into the system at 
considerable expense. 

Analogously to the PPS assessment method, the cyber-protection 
system assessment method includes: 


e Development of a cyber-path-diagram for the critical asset 

e Association of authentication, authorization, and audit fea- 
tures for electronic paths to the critical asset 

e Assessment of cyber-protection system effectiveness for the 
critical asset 


7.2.3.1 Cyber Path Diagram 


All cyber-paths that link to a critical cyber-asset must be protected. 
Specifically, each cyber-link to the critical asset must be subject to 
the authentication, authorization, and audit functions. Analogous 
to the ASDs for physical paths to a critical asset, cyber-path 
diagrams can be constructed to describe cyber-paths to the critical 
cyber-asset. 

The first step is to identify the electronic security boundaries 
between the exterior of the system and the critical cyber-asset. 
Normally cyber-systems have an exterior electronic boundary and 
one or more interior boundaries. Cyber-protection features are 
deployed at these boundaries. 

The next step is to identify all of the access points to the system. 
Systems can be accessed via modems (located on- or off-site), 
the Internet, control room, alternate access points in the facility, 
communication links, or by the downloading of software. 

The electronic links between boundaries must be identified. 
These links can be formed by other noncritical cyber-assets or 
direct communication links. 


108 РАКТ ОМЕ 


Electronic Security 
Boundary 


Noncritical 
Cyber Asset(s) 


Secondary 
Electronic Security 
Boundary 


System Electronic 
Security Boundary 


Critical Cyber- 
Asset(s) 





Figure 7.9 Example Simple Cyber-System. 


Figure 7.9 depicts a very simple cyber-system to demonstrate 
the concept. The system has a critical asset within an electronic 
security boundary at the perimeter, a secondary electronic secu- 
rity boundary, and a system-level electronic security boundary, 
with various other noncritical cyber-assets. The numerous com- 
munication links that exist between entities are not shown on the 
chart. 

Figure 7.10 includes a cyber-path-diagram for the critical asset 
of the example simple cyber-system. This diagram can be used to 
consider the numerous cyber-paths from the access points to the 
critical cyber-asset. 


7.2.3.2 Cyber-Protection Functions 


Much like an effective PPS demonstrating high performance for the 
three functions of detection, delay, response, and the integration of 
these functions, an effective cyber-protection system demonstrates 
high performance for three basic cyber-security functions and their 
integration. These functions are used to ensure the properties 


System Effectiveness 


109 





Electronic Access Points 





DialUp Internet 
Modem 








Control Room Alternate Comm. Link Software 
Access Point Access Point 






































A 








Electronic Security boundary (Perimeter) 








т 
Noncritical cyber asset 
communication line(s) 





Other Communication 
line(s) 

















Secondary Electronic Security Boundary 

















Noncritical cyber asset 
communication line(s) 





Other Communication 
line(s) 

















System Electronic Security Boundary 











Noncritical cyber asset 
communication line(s) 





Other Communication 
line(s) 




















A 








Application 








GD 











Critical CyberAsset 








Figure 7.10 Cyber-Path-Diagram for Example Simple 


Cyber-System. 


of confidentiality, integrity, and availability. The three functions 


include: 


e Authentication 


e Authorization 
e Audit 


7.233 Authentication 


Authentication is the process of establishing the validity of a 
claimed identity. User authentication is the process of associating 
a computer identity with a human being. This may be done using 
mechanisms that fall into three basic categories: (1) something 
the individual knows, (2) something the individual has, and/or 
(3) something the individual is. Once a user is authenticated, 


110 РАКТ ОМЕ 


he or she is generally issued credentials that are associated with 
computer processes acting in the user’s behalf. User authentication 
is critical to the overall security of a system or network, because 
if one user obtains (maliciously or otherwise) another user’s cre- 
dentials, then he or she can access any information that user is 
permitted to access. Two-factor authentication means authenti- 
cation requiring two (or more) of the above factors. Two-factor 
authentication is stronger than authentication based upon a single 
factor, especially when that single factor is a password. 

The most frequently used authentication mechanism is the pass- 
word, which is something the individual knows. Passwords are 
more exploitable than most other authentication mechanisms. If a 
password is stolen or compromised, the original owner retains use 
of it, while at the same time another user can use it for a consid- 
erable period of time without the owner’s knowledge. In order to 
reduce the risk of compromised passwords, encryption techniques 
are frequently used to protect passwords when they are stored on 
a system and when they are transmitted over a network; however, 
this does not protect the passwords against keystroke capture at 
the client machine. 

Smart cards or tokens represent “something the user has,” and 
their use has become more prevalent in recent years. Smart cards 
and tokens can be divided into two major subcategories: (1) smart 
cards/tokens that connect electronically to the user’s system and 
(2) one-time-password tokens that interface to the user only via a 
touch pad and display. Smart cards can potentially be compromised 
via a network attack, although this is much more difficult than 
compromising a reusable password. One-time-password tokens are 
not as subject to misuse, because they require human interaction 
upon every use, but they are therefore considerably less convenient. 
On the other hand, smart cards are more convenient, because they 
require less interaction by the user, and they also support encryp- 
tion and digital signature functions, as well as authentication. 


System Effectiveness 111 


The biggest advantage of smart cards and tokens is that if they 
are lost or stolen, the owner is immediately aware of the fact, 
since he/she loses access. If the loss is reported, the device can 
immediately be disabled at the authentication server to prevent 
further use. 

Biometric authentication is based upon “something the user is.” 
Biometric technology has not yet been widely accepted, because of 
both its cost and the difficulty ofreaching an acceptable level of false 
positives and false negatives. Fingerprint recognition is currently 
the most popular and socially acceptable biometric technology, and 
the cost and accuracy of fingerprint readers has dropped dramati- 
cally. The use of this technology requires fingerprint readers and 
software to be deployed to the client systems. 

Because of their role in cyber-security, all process control net- 
work authentication servers will be afforded the maximum protec- 
tion practical. In order to maintain the confidentiality and integrity 
of these central authentication services, it is imperative that the 
number of persons with privileged access (e.g., root or adminis- 
trator) to these services be kept at a minimum and that these 
employees be appropriately screened. 


7.234 Authorization 


Authorization is the process of determining what actions an entity 
is allowed to perform with respect to a given object. Authorization 
for access to systems and applications must be granted by man- 
agement. Authorization for access to information on systems must 
be controlled so that only authorized users can access specified 
information objects (e.g., files, data base records, web pages) based 
upon their authenticated identity. 


7.2.3.5 Audit 


Auditing is the process of recording the actions or attempted actions 
performed by an entity within a computer system or network. 


112 РАКТ ОМЕ 


The intrusion detection system supports the audit function. The 
major components of a cyber-intrusion detection system include the 
review of traffic data; scanners to detect any unusual occurrences, 
including any suspect ports or modems; virus protection; and 
monitors for access control. 

All operating systems and applications services must log security 
significant events. Where possible, these events should be recorded 
in the system log in order to facilitate access to these events by 
centralized audit log analysis tools. The logs gathered on client 
workstations will not normally be examined, except in the case of 
an incident investigation. 

The primary tools used to detect vulnerabilities in operating 
systems and network applications are network vulnerability scan- 
ners. The most significant vulnerabilities that exist on a system 
are generally the ones that are visible from outside the system and 
that make it vulnerable to network attack. For this reason, empha- 
sis is placed on network vulnerability scanners. It is important 
that the vulnerability scanning, analysis, and reporting process be 
automated to the extent possible. 

Operating systems and applications must be securely configured 
with all applicable patches, and these patches must be kept up 
to date as new vulnerabilities are discovered. Systems that are 
externally accessible must be updated immediately with security 
significant patches. Systems that are not directly accessible from 
the outside must still be patched, but the time frame will vary 
according to the seriousness of the vulnerability. Vulnerability 
analysis tools should be used to verify that systems have the 
required patches. 

One of the most convenient avenues of attack against networks 
is through the introduction of malicious code onto machines. Virus 
protection is used to support the detection of malicious code. Any 
software packages that are added should be carefully reviewed and 


System Effectiveness 113 


tested and connection to the web should be protected against or 
prohibited. 

The audit function includes access control monitoring. There is a 
complementary relationship between firewalls and intrusion detec- 
tion systems. Firewalls block undesired network traffic and permit 
desired traffic. The cyber-intrusion detection system inspects both 
blocked and permitted traffic for suspect patterns. 


7.2.3.6 Integration of Cyber-Functions 


Each of the cyber-functions of authentication, authorization, and 
audit must be performed at a high level, and the functions must be 
integrated. The authentication and authorization functions both 
provide data to the audit function where it is analyzed for evidence 
of malicious activity. Firewalls and encryption support all three 
cyber-functions as well as the protection of the communication 
links used among the functions. 


7.2.3.6.1 Effective Cyber-Protection System An effective cyber-pro- 
tection system provides graded protection, namely security mea- 
sures must be commensurate with the sensitivity of the information 
contained in that system. Ifa critical cyber-asset can be maliciously 
compromised to cause a high-consequence undesired event, a high 
level of protection must be afforded it. Cyber-security measures 
are implemented at the network, system, and application level pri- 
marily to protect the information contained therein, although in a 
few cases security measures are implemented to prevent unautho- 
rized access to high-value systems themselves, such as any critical 
cyber-assets or control communication link. 

Cyber-protection system effectiveness is the measure of the abil- 
ity of the cyber-protection system to prevent the undesired event. 
All of the cyber-paths to the critical cyber-asset must be protected. 
The assumption of the analysis process is that the effectiveness of 
the cyber-protection system is only as good as the protection that 


114 РАКТ ОМЕ 


it provides for all of the electronic paths to the critical cyber-asset. 
The process for estimating cyber-protection system effectiveness 
has three basic parts: 


1. List features of the cyber-protection system that provide 
authentication, authorization, auditing, and system inte- 
gration for the critical asset. 

2. Estimate cyber-protection system effectiveness for each 
asset by assessing the performance level of protection sys- 
tem features for authentication, authorization, audit, and 
system integration from Table 7.3. 


Table 7.3 was established by expert opinion provided by cyber- 
analysts. 

Continuing with our example, if our critical cyber-asset is the 
electronic control system, the cyber-protection system assessment 
might look like the results in Figure 7.11. Authentication is judged 
to be Low because user defined passwords are considered low 
effectiveness; authorization is Low because all employees and 
contractors have access to critical cyber-assets; perhaps audit per- 
formance is judged to be Medium in effectiveness and not High 
because data reviews are periodic and not timely; the integration 
function is judged to be Low because there are no firewalls or 
encryption features to integrate the system performance. 


7.2.3.7. Cyber-Protection Vulnerabilities 


In summary, the effectiveness of the cyber-protection system is 
judged to be at the Low level for the given moderate adversarial 
threat. Further, each Low level assessment for cyber-functions 
indicates a specific vulnerability. The specific weakness or defi- 
ciency that drives the function to be judged as Low instead 
of Medium or High represents a system vulnerability. For the 
example, weak passwords (user-defined) represent a site-specific 
vulnerability as does the lack of cyber-system-integration features. 











System Effectiveness 115 
Table 7.3. Relative Cyber-Protection System Effectiveness 
Low Medium High 
Effectiveness Effectiveness Effectiveness 

Authentication No features Strong two-factor 
or weak password? 
password? 

Authorization No features Permissions Permissions 
or based upon based upon 
permissions project-based project-based 
based upon groups or groups or 
coarse roles roles; other 
groupings, user 
e.g., “any attributes, 
employee” and/or 

authentica- 
tion trust 
level (e.g., 
two-factor) 
Audit No features Required, Required, 
retained for X | Retained for 
months, X months, 
analyzed if analyzed 
incident periodically 
occurs for evidence 
of 
unauthorized 
activity 

Integration No firewalls Some Firewalls and 
and/or No firewalls and encryption for 
encryption some all paths 

encryption 





a Weak password: No requirements for length or type of characters 
(relatively easy to defeat). 

b Strong passwords have requirements for length, use of characters (letters, 
capitals, numbers; are relatively harder to defeat). 


116 РАКТ ОМЕ 


1. List cyber protection system features for paths 





Authentication Authorization Audit Integration 
Passwords — User All employees and Intrusion detection No features 
defined contractors have system at perimeter 

standard electronic boundary 

authorization. Scanners 

Virus protection 

Only system Access control 

administrators can monitoring 

access corporate Random traffic data 

system. review 


2. Estimate cyberprotection system effectiveness for paths to asset: L 





Cyberprotection system (circle one) 
Authentication performance level: LMH 


Authorization performance level: LMH 
Audit performance level: LMH 
System Integration: LMH 


Minimum value of above LMH 


Minimum level = cyberprotection system effectiveness for asset а В 





Figure 7.11 Example Cyber-Protection System Effectiveness 
Assessment. 


Identification of system vulnerabilities is important for system 
upgrades to reduce security risk. Addressing the system’s vulner- 
abilities will increase the protection system’s effectiveness, and so 
reduce relative security risk. 


7.3 SUMMARY 


In this chapter, protection system effectiveness has been discussed 
and demonstrated. The outputs of system effectiveness assessment 
are the estimation of PPS effectiveness, cyber-protection system 
effectiveness, if appropriate, and identification of site-specific vul- 
nerabilities in the protection system. 

System effectiveness assessment uses the site-specific fault tree, 
the PPS description, and the cyber-protection system description 
to assess whether or not the system meets the specified protection 
objectives for the defined threat description. 

The system effectiveness assessment methods described in this 
chapter can be used for both outsider threats and an insider threat. 


System Effectiveness 117 


A protection system to mitigate the insider threat faces challenges 


because of the knowledge, access, and authorization afforded the 


insider. Protection from the insider adversary is discussed sepa- 


rately in “Appendix D, Insider Threat.” 


10. 


7.4. REFERENCES 


. Biringer, Betty, “Risk Assessment Method for Electric Power 


Transmission,” presented at Carnahan Conference on Security 
Technology, sponsored by IEEE, Albuquerque, NM, October 2004. 


. Brown, C. Douglas, Sandia National Laboratories “Cyber Security 


Architecture for Unclassified Computer Environments,” Sandia 
National Laboratories, September 30, 2004. 


. Garcia, Mary Lynn, The Design and Evaluation of Physical Pro- 


tection Systems, Butterworth-Heinemann, Boston MA, 2001. 


. International Training Course for Nuclear Facilities and Mate- 


rials — Volume I. Determining Physical Protection System Objec- 
tives, Sandia National Laboratories and the International Atomic 
Energy Agency, 2004. 


. North American Electric Reliability Council, “Urgent Action 


Cyber Security Standard, Standard CIP-002-1,” Draft, May 
9, 2005, http:/Awww.nerc.com/~filez/standards/Cyber-Security- 
Permanent.html. 


. Paulus, W. K., “Generic Physical Protection Logic Trees, SAND79- 


1382,” Sandia National Laboratories, Albuquerque, New Mexico 
87185, October 1981. 


. Sandia National Laboratories, Analytic System and Software for 


Evaluating Safeguards and Security (ASSESS) User’s Guide, 
March 1993. 


. Sandia National Laboratories Security Risk Assessment Method- 


ologies, http://www.sandia.gov/ram. 


. “Understanding Risk in a Changing World,” short course taught 


at Society of Women Engineers National Conference, October 16, 
2004, Milwaukee, WI. 

Vesely, W. E., Goldberg, F. F. Roberts, N. H., and Haasi, D. F. 
Fault Tree Handbook, NUREG-0492, Systems and Reliability 
Research, Office of Nuclear Regulatory Research, U.S. Nuclear 


118 РАКТ ОМЕ 


Regulatory Commission, Washington, DC 200555, January 1981. 
(Available from GPO Sales Program, Division of 20555 and 
National Technical Information Service, Springfield, VA. 


7.5 EXERCISES 


1. List the information developed in previous chapters that is used 
extensively in the protection system effectiveness assessment. 

2. How is the site-specific fault tree used to identify adversary strate- 
gies and eventually to identify the most-vulnerable scenario? 

3. Under what conditions are both physical and cyber-protection sys- 
tem assessments required? 

4. Describe the general process to determine the most-vulnerable 
strategy and scenario. What site information is used in the deter- 
mination? 

5. Consider the following hypothetical facility: 





x x х 
Property Area A 
Boundary (No fence) 






poor 1} Building Interior 
> 








Asset, 
—ь 
% 


DOOR > 








DOOR 2 














a. Sketch the ASD for sabotage of the asset. 

b. Assume that the most-vulnerable scenario includes the path ele- 
ments: DOOR 2, Building Interior Area, DOOR, TASK (sabotage 
asset). 

(i) If there are no detection features, what level is the physical 
protection system’s effectiveness? Why? 

(ii) Ifthere are no detection features, but delay and response are 
at the High level, what level is physical protection system 
effectiveness? Why? 


System Effectiveness 119 


(iii) If detection and delay are at the High level and there are no 
response features, what is the level of the physical protection 
system’s effectiveness? Why? 

с. If there are various features for detection and delay and there is 
a local law enforcement response, list which worksheets might be 
used to estimate the physical protection system’s effectiveness? 

d. Assume the following features for the path elements of the most- 
vulnerable scenario. Assume that the response is judged to be 
highly effective, is located nearby, and can reliably arrive within 
five minutes from the time that the response team gets the call. 


Path Element Detection 
Pedestrian Door alarmed Tempered glass 
Door off hours door 


Key locked off 
hours 






Building Interior Area: Traversal Distance — 30 ft 


Vault Room Badge reader Steel door 

Door Door switch Combination 
alarm lock 

Task Motion sensors No delay 
Camera features 
assessment 








(i) Estimate the PPS effectiveness level. 
(ii) List site-specific vulnerabilities in the PPS. 
6. Assume that the following graph describes the cyber-protection 
system for critical cyber-assets and that the system is accessible 
via the Internet, dial-up modems, and the control room. 


System Electronic 
Security Boundary 


Critical Cyber 
Asset(s) 





120 


РАКТ ОМЕ 


a. Sketch the cyber-path-diagram for the system. 
b. Assume that the Electronic Security Boundary includes the 


following cyber-protection features: 


Authorization Audit 


Authentication 


Passwords 
required — ma- 
chine- 
generated 





Short list of 
employees/con- 
tractors who are 
allowed to access 
system 








Integration 


Series of 
firewalls 


Required, 
system 
analyzed on 
prescribed 
schedule for 
unautho- 
rized 
activity 


c. Estimate the cyber-protection system effectiveness level. 
d. List any site-specific vulnerabilities of the cyber-protection sys- 


tem. 


7. Assume that a critical asset is susceptible to physical attack and 
cyber-attack and that either type of attack will cause the same level 
of consequences. If the PPS effectiveness is estimated to be Medium 
and the cyber-protection system effectiveness is estimated to be 
Low, what is the overall level of protection system effectiveness? 
Give reasons for your response. 


. Discuss the value of site-specific vulnerabilities in the protection 


system that have been derived by a systematic analysis. 


Сһарїег 8 


Estimating Security Risk 


8.1 INTRODUCTION 


At this point, processes have been provided to estimate the 
three parameters to estimate security risk: likelihood of adversary 
attack, system ineffectiveness, and the consequences of adversary 
success. What is important to the mission of the facility has been 
identified; specifically, the undesired security events that would 
interrupt the mission, the consequences associated with the event, 
and the targets that must be protected to prevent the undesired 
events. The adversarial threat spectrum, who might attempt the 
undesired event(s), has been described in as much detail as possi- 
ble. A system effectiveness analysis has been completed for both the 
PPS and the cyber-protection system to determine how well the cur- 
rent protection system protects against the adversarial threat spec- 
trum for the undesired events and to identify site-specific vulnera- 
bilities. The next step is to combine the three security risk param- 
eters (likelihood of adversary attack, system ineffectiveness, and 
the consequences of adversary success) to estimate security risk. 


8.2 ESTIMATING SECURITY RISK 
Security risk managers need a “measurement scale” to help them 


use the information that they have, to make the most logical 


Security Risk Assessment and Management: A Professional Practice Guide for Protecting Buildings and Infrastructures 
B. E. Biringer, R. V. Matalucci and S. L. O’Connor © 2007 John Wiley & Sons, Inc. ISBN: 978-0-471-79352-6 


121 


122 РАКТ ОМЕ 


business decisions to manage security risk from malevolent acts. 
The security risk value estimated in this chapter is a qualitative 
estimate of security risk. The purpose of this risk value is to provide 
a reference point or “measure” for the security risk associated 
with the baseline protection system. This “measurement scale” 
is particularly important to risk managers because it helps them 
understand the level of current security risk, and it provides a 
reference point for evaluating and comparing other security risks. 


8.2.1. Conditional Risk 


Conditional security risk does not include the initiating event 
(adversary decides to attack) and focuses on the likelihood of 
adversary success in the attack (system ineffectiveness — the com- 
plement of protection system effectiveness) and the consequences 
resulting from the attack. Historically, conditional security risk 
has been used when there is not enough information to estimate 
attack likelihood and/or when consequences are so extremely High 
(unacceptable), that risk analysts do not bother with estimating 
the likelihood of the attack. Of the three security risk parameters, 
likelihood of adversary attack is the most uncertain because it is 
difficult to estimate and is the most subjective of the parameters. 
From the security risk equation, conditional risk is expressed as: 


Risk = (1 — Pr) *C 
Pr = System effectiveness 
(1 — Pg) = System in-effectiveness 


C = Consequence 


8.2.2 Relative Risk 


The risk value estimated in this chapter is the relative security risk 
that is qualitative in nature. It is used to provide a reference level 
of risk and for comparison purposes. The risk level is expressed as 


Estimating Security Risk 123 


Very High, High, Medium, Low, and Very Low. The temptation is to 
associate numbers with the levels and derive a quantitative value 
for the risk level. The process can be used as long as the results 
are qualified in terms of the accuracy of the resultant quantitative 
value. The result is a point estimate, at best, and should not be used 
as an absolute value; instead it should be used only to establish 
relative ranking. 

For our purposes here, qualitative levels of the three risk param- 
eters (likelihood of adversary attack, system in-effectiveness, and 
consequence of attack) are combined utilizing a combination of logic 
and expert judgment model. Table 8.1 provides an example table, 
combining the risk parameters to estimate relative security risk. 
For example, for a given scenario to cause the undesired event, if 


Table 8.1 Estimating Relative Security Risk 


1 —Pg (System |C R 
(Relative 
Security Risk) 


шш | ||| 
| г к к к 








н 


= 


ер 
| 


124 РАКТ ОМЕ 


Table 8.1 (continued) 








РА 1 -Рұ (8уѕіет |С R 

(Likelihood of | Ineffectiveness) | (Consequence) | (Relative 

Attack) Security Risk) 
м 
м 
м 
м 
м 
м 
н 
н 
н 
i 
н 
н 
н 
н 
н 

L= Low 

M = Medium 

H = High 


the threat potential or likelihood of an adversary attack is esti- 
mated to be Medium (M), the system ineffectiveness is estimated 
to be Low (L), and the consequences of the attack are estimated 
to be Medium (M), the relative security risk is estimated to be 
Low. 


Estimating Security Risk 125 


8.3 SUMMARY 


In this chapter, the three parameters of the security risk equation — 
likelihood of adversary attack, system in-effectiveness, and con- 
sequence — are combined to estimate relative security risk. The 
overriding caution is that the estimated value of security risk is 
relative in nature and is a qualitative point estimate, at best. The 
value is not absolute, and any further degree of numerical accuracy 
should not be implied. 

The estimated security risk value does provide risk managers 
with a valuable “measure” of risk to malevolent attack that can be 
used to make risk management decisions. 


8.4 REFERENCES 


1. Sandia National Laboratories Security Risk Assessment Method- 
ologies, http://www.sandia.gov/ram. 

2. Paulus, William and Matalucci, Rudy, “Risk Matrix Table,” Sandia 
National Laboratories, Albuquerque, NM, June 2001. 


8.5 - EXERCISES 


1. Define conditional risk. When is conditional risk preferred? 

. Define what is meant by relative security risk. 

3. Discuss the benefits of having a “measurable” parameter for secu- 
rity risk level. 

4. Discuss how security risk values should and should not be inter- 
preted. 

5. Describe how and why the assessment team might decide to modify 
the table for Estimating Relative Security Risk (like Table 8.1). 


N 


Chapter 9 


Risk Reduction Strategies 


9.1 INTRODUCTION 


At this stage in the security risk management process, the percep- 
tion of the analysis team is that the security risks are above 
the acceptance level, and the presentation package to manage- 
ment should include analysis of security strategies and mitigation 
options to reduce risk for the building or facilities that are being 
reviewed. Most likely the direction has been set for exploring and 
developing alternative plans that would accomplish and demon- 
strate risk reduction and ultimately enhance the protection of 
occupants, property, and mission requirements. This chapter will 
describe the development of strategies to reduce security risk. 
The strategies are based on the parameters of the security risk 
equation: likelihood of adversary attack, system ineffectiveness, 
and consequence. Logically, in order to reduce security risk, one or 
more of the three parameters must be reduced. The analysis team 
will explore and analyze possible strategies to reduce one or more 
of the risk parameters. Figure 9.1 outlines the basis of security 
risk reduction strategies. 


9.2 STRATEGIES FOR REDUCING LIKELIHOOD 
OF ATTACK 


Reducing the likelihood of adversary attack points toward some 
type of “deterrence” strategy. Security deterrence is very difficult to 


Security Risk Assessment and Management: A Professional Practice Guide for Protecting Buildings and Infrastructures 
B. E. Biringer, R. V. Matalucci and S. L. O’Connor © 2007 John Wiley & Sons, Inc. ISBN: 978-0-471-79352-6 


127 


128 РАКТ ОМЕ 


Risk 
Reduction 
Strategies 











Combination 
of Risk 


Reduction 
Strategies 











Reduce Improve Mitigate 
Likelihood of System Consequences 
Attack Effectiveness 


Figure 9.1 Basis of Risk Reduction Strategies. 








measure. Historically, deterrence appears to be effective for some 
period of time; the period of time is hard to predict because it is 
only as long as the time required for the adversary to learn how 
to defeat the system. The most reliable deterrence is an effective 
security system. 

For lower-level threats or for threats without a specific target, 
there is some credence in the belief that a well-structured building 
security system might “deter” an attack or rather redirect it to 
a more vulnerable neighboring building, if the objectives for the 
attack are similar in motivation, and the impact on society and 
the country might be relatively equitable. Of particular interest 
are the deterrence effects certain security and protective measures 
can produce if the adversary is less determined, less motivated, 
and less willing to die for a cause. The less sophisticated adversary 
might be deterred from an attack if cameras are constantly pro- 
viding surveillance and are difficult to compromise. Crime-witness 
methods can also be effective, such as posting reward signs around 
a building or in the vicinity of its facilities that indicate benefits to 
the reporting witness if notification is made to any authority about 
any indication of a criminal activity in the surrounding area or at 
the building. In addition, surveillance cameras may be useful for 
forensic purposes and prosecution. 

For high-level motivated threats, itis not prudent to base a reduc- 
tion strategy solely on reducing likelihood of adversary attack. For 
these reasons, the focus for security risk reduction strategies will 


Risk Reduction Strategies 129 


be the improvement of security system effectiveness, the mitiga- 
tion of consequences, or a combination of both security system 
improvement and consequence mitigation. 


9.3. STRATEGIES FOR INCREASING PROTECTION 
SYSTEM EFFECTIVENESS 


In an ideal world, the goal would be for the security system to pre- 
vent all of the undesired events, so exploring strategies to increase 
the protection system’s effectiveness is the first risk reduction 
strategy to be discussed. The obvious starting point for ways to 
increase the protection system’s effectiveness is the list of site- 
specific vulnerabilities identified during the system effectiveness 
analysis, Chapter 7, “System Effectiveness.” These specific vul- 
nerabilities were a product of the analysis; logically, removing or 
securing these vulnerabilities would increase protection system 
effectiveness and, thus, reduce security risk. 


9.3.1. Physical Protection System Upgrades 


Physical protection system upgrades address the detection, delay, 
and response functions and their integration. Table 9.1 provides 
examples of possible system features to be considered for upgrades, 
listed by protection system function. 


9.3.2 Cyber-Protection System Upgrades 


Cyber-protection system upgrades address the authentication, 
authorization, and audit functions and their integration. Table 
9.2 provides examples of possible system upgrades by protection 
function. 


9.3.3 Protection System Upgrade Package(s) 


A protection system upgrade “package” that addresses all ofthe site- 
specific vulnerabilities for the building or facility can then be sug- 
gested and assessed with a system effectiveness analysis to ensure 


130 


Table 9.1 


Detection 


Interior sensors: 
Boundary 
penetration 
Motion 
Proximity 
Personnel 
Exterior sensors: 
Intrusion 
Personnel 
Access control: 
Identity check 
Authorization 
Contraband 
detection 
Alarm 


Tamper 
indication 
Line 
supervision 
Assessment: 
CCTV 
Personnel 





Intrusion Sensing: 


communication: 





PART ONE 


Delay 

Barriers Interruption: 
Communica- 

Locks tion to 

response 

Security Deployment 

personnel time 

Tasks at | Neutralization 

critical 

asset 


Potential Physical Protection System Upgrade Features 


Integration 


System detects 
adversary 
early enough 
and delays the 
adversary long 
enough for the 
response to 
arrive 





and measure the increase in protection system effectiveness. The 
specific steps to develop a security system upgrade package to 
increase protection system effectiveness include: 


1. Review of the site-specific vulnerabilities 


a. Protection functions associated with each vulnerability 


(i) Physical (detection, delay, response, integration) 


(ii) Cyber (authentication, authorization, audit, integr- 


ation) 


Risk Reduction Strategies 


131 


Table 9.2 Potential Cyber-Protection System Upgrade Features 


Authentication 


Something known: 
Passwords 
Something 
possessed: 
Smart cards 
Tokens 
Personal identifier: 
Biometric 
(fingerprint) 
Dual-factor: 


Authorization 


Determined 
by manage- 
ment 


Limits 
number 
with access 
Controlled 


Network 
scanners 
Intrusion 
detection 
Review of 
traffic 
data 
Scans 
Virus 
protection 


Encryption 


Firewalls 


Any two of above 
Access 
control 
monitors 





b. Specification of the system feature associated with each 
vulnerability 
2. Suggestion and evaluation of protection system upgrade 
package(s) to increase protection system effectiveness 


A summarization and organization of all of the site-specific vulner- 
abilities identified by the system effectiveness analysis provides 
valuable guidance about where to upgrade the protection system. 
The lists of site-specific vulnerabilities identify the protection func- 
tion, as well as the specific system feature associated with each 
vulnerability. Remember that a system feature is one of the path 
elements from the ASD, namely, a DOOR, DUCT, FENCE, GATE, 
TASK, PORTAL, SURFACE, TUNNEL, or WINDOW. Upgrade 
features must be suggested for site-specific vulnerabilities. Depend- 
ing on the nature of the vulnerability, upgrades must be made to 
the PPS system and/or the cyber-protection system. 

One or more security system upgrade packages should be devel- 
oped from the feature upgrades to address all of the identified 


132 РАКТ ОМЕ 


site-specific vulnerabilities. Packages should be based on the 
judgment of the analysis team. Upgrade package content may 
be driven by threat level, ease or timeliness of implementation or 
site or corporate sensitivities. Most often, three security system 
upgrade packages are postulated, based on threat level: 


1. Package 1 is designed for a lower-level threat (vandal, gang, 
criminal, extremist) 

2. Package 2 is designed for a medium relative threat (Package 
1 plus a domestic terrorist) 

3. Package 3 is designed for a higher relative threat (Package 
2 plus an international terrorist threat plus an insider) 


The organization of the vulnerabilities might suggest system 
upgrades that address multiple features. The ASDs should be 
reviewed to ensure that all of the vulnerabilities for the spe- 
cific path elements are addressed and that the upgrade package 
ensures that all paths of the ASD are protected at least as well 
as in the scenario that was considered to be the most vulner- 
able (used for the system effectiveness analysis). Finally, each 
upgrade package should be evaluated with a system effectiveness 
analysis to ensure and measure actual improvement in protec- 
tion system effectiveness. If the security system upgrade packages 
cannot ensure a high enough level of effectiveness to prevent the 
undesired events, strategies for mitigating consequences should be 
explored. 


9.4 STRATEGIES FOR MITIGATING CONSEQUENCES 


The first step in consequence reduction is to carefully examine the 
consequence values that were estimated for the undesired events 
in the analysis (see Chapter 5, “Consequence Analysis”) and to 
identify the consequence categories that provided the highest con- 
tributions to those estimates. Specifically, consequences should 
be summarized by those that are: (1) people-related, such as loss 


Risk Reduction Strategies 133 


of life and casualties, (2) building- and facilities-related, such as 
loss of properties, (3) revenue-related, such as loss of jobs, loss of 
income, loss of mission and work space, (4) community-related, 
such as loss of services, loss of public space, loss of confidence, 
(5) interdependency-related, loss of continuity of government ser- 
vices, loss of communications, loss of utilities, loss of emergency 
services, and (6) other-related, such as collateral damage, cascad- 
ing effects, loss of recreation and cultural amenities, and the like. 
Summarizing consequence in this way will provide guidance as 
to which consequence categories should be addressed to optimize 
consequence mitigation. 
Strategies to mitigate consequences include: 


e Construction hardening 
e Redundancy 

e Optimized recovery 

e Emergency planning 


9.4.1 Construction Hardening 


A specific strategy for consequence mitigation is the hardening of 
the construction of the building or facility against blast effects. 


9.4.1.1 Blast Design Basis Threat and Explosive Scenarios 


The development of a blast design basis threat for a variety of 
explosive attack scenarios currently appears to raise significant 
issues about what to do and where to apply any hardening against 
blast effects. Numerous government organizations involved in the 
defense of weapon systems against air blast and accompanying 
ground motions have produced manuals and methodologies for 
dealing with the question of hardening for protective construc- 
tion systems. The use of heavily reinforced concrete and steel 
designs is well within the state of the art for architects and engi- 
neers to apply where needed. However, the threat criterion that 


134 РАКТ ОМЕ 


is applied to meet blast requirements to protect a building and 
any of its critical facilities is not an easily derived factor without 
careful threat analysis and risk acceptability decisions that ONLY 
the owner and stakeholders can make. If a government agency 
is involved, the threat criterion that is used for blast protection 
design purposes is usually better defined by the agency’s command 
and intelligence gathering structure. However, for nongovernment 
buildings, the blast design basis threat must be defined through a 
thorough understanding of the results following a full risk assess- 
ment process. A blast design basis threat is established by the 
owner and stakeholder decision makers, with advice from the risk 
assessment team. The threat is defined in terms of the amount and 
the type of explosives and the delivery system(s) involved. Once 
the blast design basis threat is established, the blast protection 
designer/engineer can find alternative solutions using available 
standoff distance(s) and hardening techniques and measures that 
are applicable to the building or facility to provide some level of 
protection against blast effects. 


9.4.1.2 Site Features, Orientation, and Viable Targets 


The site features, orientation, and possible obstructions may affect 
the adversary’s access or line of sight to critical assets. Site fea- 
tures that might be considered as hindrances to an adversary’s 
attack, include rigid and energy-absorbing (frangible) barriers at 
the perimeter such as walls, high curbs, planters, bollards, trees, 
shrubs, ditches, soil-rock berms (such as gabion walls), rocks, mas- 
sive equipment and vehicles, and natural and man-made barriers. 
The building elements that might require protection or harden- 
ing include building structural members (columns, walls, beams, 
buttresses), utilities (cables, pipelines, values, switches, control 
panels, pumps, hydrants) personnel (occupants, visitors), functions 
(administrative, computer center operations, command and control 
centers, other operational missions), and entrances (portals, gates, 


Risk Reduction Strategies 135 


lobbies, doors, tunnels, arches, vents, conduits). Explosive attacks 
on building elements might cause a catastrophic failure, partial 
collapse, or severe damage to the building system and/or its opera- 
tions, including casualties and fire. Possible attack modes include 
ground-mobile devices such as positioned explosives, mechanical 
equipment and hand tools, ramming vehicles, and air- or water- 
borne projectiles. 


9.4.1.3 Disruption, Damage, Total Collapse 


The assessment regarding mode of failure of a building and its 
facilities is an important part of an evaluation and greatly assists 
with the determination of the consequences of a blast attack. 
The mode of building failure is particularly critical because of 
the potential for loss of life and total loss of mission that could 
result from a collapsing building. For example, single points of 
failure, such as a column, beam, or shear wall that if it fails, could 
initiate progressive collapse of the building, are considered critical 
assets that warrant not only careful analysis but also adequate 
protection, especially against an explosive attack. The Murrah 
Federal Building in Oklahoma City, damaged by an explosive 
attack, is considered a classic example of a catastrophic failure 
from progressive collapse. 

During an assessment of the consequences of an attack, the 
question must be addressed whether disruption of service, partial 
damage, or total collapse is the mode of failure considered most 
likely to occur. The obvious exposure of a key structural element, 
such as a column or beam, is an indication that a careful evaluation 
is necessary. 

An example of a disruption of service is an attack against a 
utility system, such as the building commercial power substation, 
or another building facility, such as an attached parking structure 
or covered walkway, where very few fatalities would be expected 
but certainly the building operation would be disrupted until such 
time as necessary repairs could be completed. 


136 РАКТ ОМЕ 


9.4.1.4 Protective Systems and Potential Upgrade Techniques 


There are several techniques that may provide differing levels of 
hardening if the concern for protection from an explosive attack is 
found to be a critical consideration and the decision is to proceed 
with some form of upgrade or retrofit. Before analysis can proceed, 
the amount and type of explosive and the distance to the building 
and facility are required. The engineering concern relates to the 
potential for partial, progressive, and/or total collapse where the air 
overpressures and shock from the blast exceeds the strength and 
resistance of the existing structural systems. It is thus important 
to perform a preliminary structural analysis to evaluate weak- 
nesses of elements of the building before any potential hardening 
techniques can be ascertained. 

The objective of the building hardening strategy must also be 
established, which might include any of the following: (1) remain 
standing and entirely intact except for slightly damaged facade 
and some window breakage, (2) remain standing while allowing 
for some damage to structural elements if rapid evacuation of 
all surviving occupants can still be ensured, (3) remain partially 
standing, without progressive collapse, while allowing for most of 
its occupants to evacuate to “safe havens” to be rescued as soon 
after the attack as possible. Although selecting one of these pro- 
tective strategies against a blast attack is challenging for decision 
maker(s), several different levels of risk and uncertainty can also 
be assigned to the ultimately selected hardening technique that 
still meets the design objective. The hardening techniques that are 
available range from structurally strengthening exposed critical 
members such as columns, beams, floor slabs, and walls using 
fiber-reinforced polymer composites to providing for redundant 
structural members that protect against failure or progressive col- 
lapse. More commonly used hardening techniques are applied in 
the field in the form of wraps around columns and coatings on walls 


Risk Reduction Strategies 137 


and floors, using the appropriate bonding procedure, resulting in a 
composite that indeed strengthens the weaker structural members. 


9.4.1.5 Alternative Plans, Standoff Distances, and Access Control 


If the blast-hardening techniques discussed above are evaluated 
and found to be prohibitively expensive or not cost-effective in their 
specific application, alternative strategies and plans might be eval- 
uated that may well provide some degree of protection but may 
not include actual hardening of the structure. An assured means 
of keeping any large quantity of an explosive device at a distance 
from key structural members is certainly useful and advantageous. 
The chance of damage to a structural element in a building is sig- 
nificantly reduced (exponentially) when a standoff distance can be 
assured through some means (also depending on the amount of 
explosives used in the attack). Various barrier systems discussed 
above that provide an obstruction to vehicles carrying explosives 
provide a viable means of protection. Their effectiveness against 
an attack can now be best evaluated through analysis that offers 
some level of confidence that building destruction or severe dam- 
age as a function of distance would be extremely difficult. The 
primary consideration in a design to meet a criterion for a specific 
standoff distance is to ensure that there will be no penetration 
of the perimeter by an adversary’s vehicle loaded with explosives. 
Therefore, some means for controlling vehicle access inside the 
perimeter is required, through a security gate, sally port vehicle 
inspection station, and/or driver authentication procedures. It is 
important that the design criteria for standoff distance and secu- 
rity requirements be well integrated and that both support the 
security strategy and design objectives. 


9.4.1.6 Calculation Capabilities, Expertise, and Resources 


Several levels of computer calculations can be performed to eval- 
uate the effects of explosive attacks on buildings and facilities. 


138 РАКТ ОМЕ 


The basic parameters that are normally required to perform such 
calculations to determine the extent of structural failure, dis- 
placement, and/or partial damage include: (1) the characteristics, 
shape, energy-release efficiency, and quantity of explosive mate- 
rial; (2) the distance the explosive material is placed away from the 
target (building and facilities); and (3) the technical description of 
the structure under attack, including construction materials, type 
of building, configuration of the key structural members, and their 
respective dimensions and strength properties. 

The most technically sophisticated level of analysis for blast- 
structure coupled interactions use primarily finite-element-based 
computer simulations. These computer simulations calculate the 
blast environment and impact on the structure, such as overpres- 
sure and its duration (impulse), that is produced by the detonation 
of a well-known and easily manufactured energetic material such 
as the mixture of ammonium nitrate and fuel oil (ANFO), or other 
standard explosives such as tri-nitro toluene (TNT), or C-4 plas- 
tic explosives, to mention a few. The energy released and the 
accompanying blast impacts from these characterized explosives 
(using a hydrodynamic code such as CTH) are then coupled by 
computer simulation techniques (using ZAPOTEC, as an example) 
with the finite element structural response codes of actual three- 
dimensional buildings and facilities (such as the PRONTO 3-D 
structural dynamics code). These calculations produce detailed 
assessments of the damage resulting within the structural mem- 
bers, such as the percent strain in the materials, displacements 
of structural components, and resulting modes of failure that 
represent expected material behavior response derived from the 
principles of fracture mechanics and material behavior properties. 

The next level of computer simulations for blast effects are 
less sophisticated and more simplified in determining structural 
response from blast than those described above. Damage results are 
more general and qualitative. For example, the levels of damage 


Risk Reduction Strategies 139 


are usually summarized into three general categories: (1) total 
destruction and/or building collapse with large loss of life and 
property, and the building is not recoverable after the event; 
(2) medium damage to the building that includes some loss of life, 
medium structural member failures, no building collapse, and the 
building being potentially repairable for future use after the event; 
and (3) minor to no damage with no loss of life, easily recoverable 
from, and with minor repairs to restore operations. This level 
of analysis determines a first-order magnitude estimate of the 
damage severity and the possible requirement for alternatives 
for protection. Included in the alternatives are: (1) increasing the 
standoff distance, (2) hardening to mitigate the expected higher 
consequences, and/or (3) revising the criterion to some lower level 
of explosive threat and accepting the higher level of risk for a 
higher level of consequences that might occur. 

The third level of model simulation for blast effects, which is 
less sophisticated and further simplified for the user, applies the 
extrapolations from graphs of blast effect curves that are based 
on performance of ideal explosive material quantities and standoff 
distances from a target. The series of curves that are determined by 
calculating the overpressure and impulse from a series of quantities 
of ideal explosive charges, such as TNT, are plotted on a graphic 
display to indicate the rate at which the explosive effects decay 
as a function of distance away from the source of the detonated 
material. These curves can then be used to predict, in a generic 
way, the degree of potential damage that might occur to buildings 
and facilities in the event of a blast impact on structural systems 
and components, including concrete or steel buildings, masonry 
walls, glass windows, and human bodies subjected to the blast 
loads. 

The U.S. Treasury Bureau of Alcohol, Tobacco and Firearms 
(ATF) has produced for general application a generic table of 
explosive blast effects that are expressed in terms of the distances 


140 РАКТ ОМЕ 





Publisher's Note: 

Permission to reproduce this image 
online was not granted by the 
copyright holder. Readers are kindly 
requested to refer to the printed version 
of this chapter. 





Figure 9.2 Generic Table of Explosive Blast Effects. 


concerning lethal impacts, minimum distances for evacuation 
requirements, and falling glass hazard distances from a target 
under attack (see Figure 9.2). These data are effective in planning 
for standoff distances from an explosive attack and developing 
emergency action plans for minimizing blast effects on humans 
anywhere in the area of the attack. Other, more specific, blast 
effects data on structures, humans, and equipment, although avail- 
able, are restricted for use by authorized personnel who have the 
need and expertise for its appropriate application. 

A blast analysis consultant with the appropriate credentials and 
experience will provide suggestions on the analyses that will assist 
in determining the best calculation options available for the specific 
building and circumstances. The less sophisticated calculations 
might be preferred initially to scope the level of damage that is 
anticipated and to estimate the order of magnitude of costs that 
would be involved if hardening options were to be pursued. There 
are numerous institutes, companies, and government agencies that 


Risk Reduction Strategies 141 


have clear expertise to assist with blast analyses as appropriate. 
Detailed review of their past analyses and interviews with their 
experts will benefit the project by allowing the experts to suggest 
options on how to proceed with a more cost-effective approach, one 
phase at a time. The final analysis would entail the determination 
of the appropriate hardening techniques that would provide the 
protection that is deemed most effective, if any at all. 


9.4.1.7 Decision-Making Issues and Supporting Data 


Finally, the analysis must conclude whether or not blast protection 
does in fact provide the risk reduction that meets the expecta- 
tions of the owners/stakeholders and is the best alternative for the 
credible threat scenarios that are described. This decision depends 
clearly on the issues of: (1) the credible threat and the likelihood 
of attack, (2) the size of the explosive charge predicted to be deliv- 
ered and the determination of the location of the specific critical 
targets, and (3) whether there is absolute consensus that there 
are no other options to mitigate consequences in the event of a 
destructive attack. 


9.4.2 Redundancy 
9.4.2.1 Redundancies and Backup Systems 


Building and facility redundancies and backup systems are 
normally considered for critical assets that if interrupted by a 
malevolent attack would seriously jeopardize the mission of the 
organization. Typical examples of redundancies and backup sys- 
tems include: (1) electric power using a backup generator or 
uninterrupted power supply (UPS), (2) alternative external sources 
of commercial power to the building with secondary transformer 
banks at local substations, (3) dual external supply lines for water 
sources and dual water pipeline distribution inside the building 
for firefighting, (4) redundant air-cooling systems for critical com- 
puters in data centers, (5) dual security and fire alarm systems 


142 РАКТ ОМЕ 


for building management, (6) alternative communication systems, 
including telephones, radio, and cell phones, (7) backup equipment 
such as computers, motors, fans, transformers, that are usually 
located near the operational areas for rapid replacement, (8) other 
miscellaneous redundancies that pertain sometimes to staff, mate- 
rials and supplies, shipping and receiving, ingress/egress, and the 
like. The key security requirement for redundancy is that the 
systems need to have as large as possible separation distances to 
ensure that a single-point attack does not destroy both the primary 
and redundant systems at one strike. 


9.4.2.2 Inventory and Stockpile Plans 


The primary security requirement for inventory and stockpile 
planning is the assurance that adequate equipment and supplies 
are readily available in the event of an attack, to accelerate the 
recovery operation. This capability is especially important if equip- 
ment and materials cannot be readily obtained and in sufficient 
time to successfully recover from an attack. Of particular interest 
are items that have a long lead time for delivery such as trans- 
formers, HVAC chillers, electric controls and switch gear, and other 
special equipment that might have only one supplier and that one 
in a foreign country. Stockpile plans would consider emergency 
materials that need to be readily available at the site or nearby, 
such as water for firefighting and first aid and medical supplies, 
including vaccines in the event of a biological attack, respirators 
and masks for evacuation purposes, and the like. The value of 
doing a check of inventory and stockpile plans is that this provides 
assurance that if mitigation strategies depend on this material, its 
availability on-site, which might be the most critical requirement 
to minimize losses is assured. 


9.4.2.3 Material and Contract Support Plans 


Related to the inventory and stockpile plans, there is specifically 
the need to have prearranged contracts and support agreements 


Risk Reduction Strategies 143 


to provide for the needs of the building and security manager 
immediately upon the initiation of recovery plans following an 
attack. The planning that is required here refers to the identifica- 
tion of what activities can be accomplished with in-house resources, 
including additional personnel, and the activities that will require 
the support of others. 


9.4.3 Optimized Recovery Strategies 
9.4.3.1 Backup and Alternative Projects 


Backup and alternative projects refer to those similar buildings 
and facilities that can be made available to perform the mission 
in the event the primary building is destroyed. This provides 
for a continuity of operations, provided that a sufficient number 
of personnel survive or others can be hired, at short notice, to 
perform the tasks required to reduce the impact to the mission. 
A good example of this type of alternative project applies to an 
emergency operations center (EOC) that might also be attacked 
and deliberately destroyed to confuse and complicate a recovery 
operation. An alternative EOC project can be preestablished and 
ensures that the necessary equipment and systems for the mission 
are ready for use in an emergency. An alternate mobile command 
center could be helpful to reduce initial costs and maintenance and 
operations considerations. Some agencies have multiple buildings 
in the region and plans for an alternative backup to allow for more 
rapid recovery. 


9.4.3.2 Options for Project Control Centers and SCADA 


Some building missions operate with a project control center 
concept that is the nerve center of the organization. Within this 
designated control center usually rests the supervisory control and 
data acquisition (SCADA) function, as well as other operations, 
communications, and controls for mission purposes. For example, 


144 РАКТ ОМЕ 


ап ЕОС for a community would obviously be a critical asset and 
a potential target to attack using a variety of different scenarios, 
including “preattack” destruction. The objective of studying a con- 
trol center and the SCADA mission, contents, and systems is to 
evaluate the impact if it is destroyed and establish if there are 
alternative plans for restoring its function in a short time period, 
as needed. Some critical control centers that are used for distri- 
bution of vital services, such as electric power, water resources, 
gas and oil, and the like, are designed to have alternate sites that 
can begin operations at the “flick of a switch.” The more common 
administrative buildings and facilities might have plans that rely 
on outside control center resources and support agreements for 
backup. For example, SCADA systems that are used for remote 
and automatic controls, such as those for dams and lock opera- 
tions, water resources and power transmissions and distributions, 
and petroleum materials pipeline conveyance and distributions, 
are often equipped with manual overrides that can be used in 
the event of a cyber- or physical attack, once it is detected by 
the operators. Such SCADA systems located inside buildings or 
supporting facilities, even if not important for internal building 
management and operations, might be critically important for sys- 
tems outside the building’s perimeter and require investigations 
for needed protection or possible backup. 


9.4.3.3 Customer Agreements and Clarity of Strategy 


Customer agreements in this regard deal with those outside cus- 
tomers that are dependent on the building owner for continuous 
service. If these types of agreements are seriously binding, penal- 
ties and liability issues might occur in the event of an attack 
that is not followed by immediate restoration of service. Mitigation 
strategies in this situation would pertain to the urgency of recov- 
ering to meet the customer’s expectations and ensuring that there 
are no further cascading damages incurred by the interruption 


Risk Reduction Strategies 145 


of those services. The strategy to accommodate this requirement 
might entail a stipulation in the agreement that in the event of 
an interruption of service, the supplier will restore services in a 
prescribed number of days or weeks, perhaps depending on the 
mission and the extent of the damage. The importance of clari- 
fying the mitigation and/or recovery strategy, because a service 
agreement is at stake, is apparent if the objective is to mini- 
mize any consequences to the building owner, stakeholders, and 
customers. 


9.4.4 Emergency Planning 
9441 Emergency Action Plans 


Emergency action plans play a vital role in consequence mitiga- 
tion. Most organizations have emergency action plans to address 
a natural disaster or other emergencies. These plans are use- 
ful in reviewing and understanding the existing actions that are 
taken following an event and in identifying critical elements, such 
as water sprinklers, fire alarms, evacuation routes, and the like. 
Any weaknesses that are discovered, especially those deficiencies 
that were not addressed because malevolent threats were not 
considered previously, must be examined for mitigation. When 
the security operations plans are revised, emergency action plans 
must be reviewed and updated to address all existing mitiga- 
tion strategies. 


9.4.4.2 Early Warning Systems and Evacuations 


Early warning systems are in operation today at locations where 
naturally occurring events can be monitored and their direction of 
impact is predictable. In the event they occur, advance warning is 
given to occupants that a storm or flood is jeopardizing the area and 
evacuation from the premises is suggested. In the event that early 
warning can be applied to a malevolent attack, all efforts must be 
made to take advantage of alerting all occupants to evacuate or 


146 РАКТ ОМЕ 


assemble, for example, in a safe haven designated in that building 
for that purpose. In order to be effective, all early warning systems 
must first be linked to early detection of the event, and secondly, 
to the occupant notification and broadcast system. 


9.4.4.3 Temporary Security Response Force and Positioning 


When appropriate, the federal government alerts the nation that 
a heightened state of threat is recognized from credible intelli- 
gence data; many federal agencies are then prepared to take the 
necessary actions to protect their facilities against a potential 
attack. With guidance from a completed risk assessment evalua- 
tion, the critical assets within a building have been identified, and 
some additional security measures would most likely be planned 
or in place to protect the critical asset(s). If these countermea- 
sures are not cost-effective, or if funding is not available to install 
a permanent security system, other options must be considered. 
The advantage of placing a temporary security response force at 
or near the critical asset(s) for the duration of the federal alert 
period, or for longer periods, is worth considering. It is wise to have 
all the planning ready for this option in advance and any required 
support contracts in place or readily available. Upon notification, 
additional response force personnel can be positioned at the sites 
identified for 24/7 coverage, if necessary. 


9.4.4.4 Law Enforcement Tactics 


It should be noted that law enforcement tactics are important, to 
detect, apprehend, arrest, and neutralize the attacking adversary. 
If support from a law enforcement agency is required to augment 
an existing security force at a building or to intercept the adversary 
during periods when there is no security force on duty, security 
operation plans must be established to provide specific guidance on 
how local law enforcement can support the needs for the building. 
The tactics to be applied and the equipment that would be used 


Risk Reduction Strategies 147 


must be discussed with the building’s security manager well in 
advance so that instructions are clear and notification links are 
well established. 


9.4.4.5 First Responder and Equipment 


The first responders are the most critical personnel at the scene of 
an emergency when it comes to saving lives, minimizing casualties, 
and protecting against further destruction. As first responders, 
these individuals place their lives at risk because of the unsafe 
and insecure conditions that they are frequently required to face. 
In order to provide a safer and more secure work environment 
for them in advance, serious consideration must be given to 
how building configurations, access points, ingress/egress routes, 
and prestaged equipment can assist their operations. Detailed 
discussions and building “walk-around” sessions and personal 
interviews with first responder representatives will highlight their 
needs and assist the security manager in preparing for mitiga- 
tion strategies as a risk reduction measure. As a result of recent 
building disaster site experiences, police and fire chiefs, medi- 
cal officers, and emergency management personnel have clearly 
identified appurtenances that can be installed for facilitating res- 
cue and firefighting operations. Among the more popular features 
include such structures as concrete pads for larger cranes and 
fire equipment, easily accessible critical shut-off valves at the 
street level, gates, openings, stairwells, and elevators that are 
operable during emergencies, first-aid stations in a protected area, 
and safe havens where occupants can assemble and be treated, if 
required. 


9.4.4.6 Local Support and Agreements 


In spite of the arrangements that exist between local building 
owners and municipal fire, police, medical, and emergency man- 
agement departments, local support agreements are beneficial in 


148 РАКТ ОМЕ 


terms of defining the details of the support and the conditions that 
would better foster cooperation and coordination. Ensuring that 
support agreements are current and viable for any emergency at a 
building is certainly a positive action for mitigating consequences. 


9.5 COMBINATIONS OF REDUCTION STRATEGIES 


Sometimes implementation of single strategies either to improve 
protection system effectiveness or to mitigate consequences alone 
cannot reduce the security risk to an acceptable level or can- 
not reduce the security risk cost-effectively. Combinations of risk 
reduction strategies might be explored. Using combinations of both 
security system upgrades and consequence mitigation strategies 
to reduce the risks involved might be beneficial to the overall 
protection of the building and its mission. 

An example of a risk reduction strategy that includes both PPS 
features and consequence mitigation features is discussed with the 
following example. In the event that the threat of concern is a 
chemical-biological-radiological (CBR) event against the building 
and facilities, further examination of the HVAC systems, and 
especially the air-intake openings and systems, is required. All 
points of potential entry of any contamination into the building 
must be protected to minimize the exposure of personnel, property, 
and critical equipment. Early detection of contaminants entering 
the building and subsequent shutdown of the ventilation systems 
would provide some mitigation and will most likely minimize 
the effects to occupants and equipment. Applying some means 
of internal positive pressure and filtration upon detection of a 
contaminant can also be effective, depending on the equipment 
involved and the duration of the exposure. In addition, establishing 
evacuation plans for personnel in the event of a CBR attack is 
crucial so that the safe haven chosen does not cause more exposure 
of the personnel, but provides first aid, fresh air, and necessary 
protective gear. Protecting personnel and computer equipment 


Risk Reduction Strategies 149 


against corrosive contaminants such as sulfuric acid, chlorine, 
ammonia, and certain hydrocarbons requires careful investigation 
prior to proceeding. Biological and radiological contaminants are 
under investigation by numerous agencies of the government, 
and definitive information and protection guidance have not been 
formulated at this time. 

The possibility that implementation costs can also be reduced if 
both reduction strategies are applied might provides another incen- 
tive for pursuing the combination. The usefulness of the complete 
risk assessment becomes more apparent when alternatives and 
options are reviewed and estimates are made of implementation, 
including operations, and maintenance costs and the potential for 
risk reduction are also compared against the current risk level. 
The return on investment and capital is a critical management 
objective and plays a key role in making the decision on what com- 
bination of alternative measures makes the most sense, provides 
the largest risk reduction, and results in the best cost-effective 
solution. Cost-benefit analyses introduced at this stage can also 
assist with the determination of the best course of action to pursue. 

At this point, the basic risk assessment has been completed, 
including the analysis of various upgrade packages. A package can 
be assembled for presentation to the risk managers, including: the 
threat analysis, consequence analysis, system effectiveness analy- 
sis for both the physical and cyber-protection systems, estimated 
security risk level, and identification of strategies to reduce risk. 


9.6 SUMMARY 


In this chapter, strategies were discussed to reduce security risk. 
The two primary methods for risk reduction offered include increas- 
ing the security system protection effectiveness using physical 
upgrades and administrative and operational security options or 
consequence reduction using some form of mitigation strategy. 
Risk reduction measures designed to reduce the likelihood of an 


150 


РАКТ ОМЕ 


Risk 
Reduction 
Strategies 




















Reduce Improve Mitigate Combination 
Likelihood of System Consequences of Risk 
Attack Effectiveness Reduction 
Strategies 
-DETECT -CONSTRUCTION HARDENING 
-DELAY -OPTIMIZED RECOVERY 
-RESPONSE -REDUNDANCY 
-AUTHENTICATION -EMERGENCY PLANNING 


-AUTHORIZATION 
-AUDIT 


Figure 9.3. Summary of Potential Security Risk Reduction 
Strategies. 


attack were not developed because of the unpredictable effective- 


ness of deterrence. Figure 9.3 summarizes possible security risk 


reduction strategies, that is, the protection system functions to 


be addressed to improve system effectiveness and strategies to 


mitigate consequences. 


9.7 REFERENCES 


. American Society of Civil Engineers, “Structural Failures: Modes, 


Causes, Responsibilities,” ASCE National Meeting on Structural 
Engineering, Cleveland, Ohio, April 1972. 


. Attaway, Stephen W., Matalucci, Rudolph V., Key Samuel W., 


Morrill, Kenneth B., Malvar, L. Javier, and Crawford, John 
E., Enhancements to PRONTOSD to Predict Structural Response 
to Blast, SAND2000-1017, Sandia National Laboratories, Albu- 
querque, NM, May 2000. 


. Garcia, Mary Lynn, Design and Evaluation of Physical Protection 


Systems, Butterworth-Heinemann, Burlington, MA, 2001. 


. Garcia, Mary Lynn Vulnerability Assessment of Physical Protec- 


tion Systems, Butterworth-Heinemann, Burlington, MA, 2006. 


. ICBO Evaluation Services, Inc., “Acceptance Criteria for Concrete 


and Reinforced and Un-reinforced Masonry Strengthening Using 
Fiber-Reinforced Polymer (FRP), Composite Systems.” AC125, 
Whittier, California 90601, January 2001. 


10. 


11. 


Risk Reduction Strategies 151 


. Matalucci, R. V. and Miyoshi, Dennis S., O’Connor, Sharon L., 


An Introduction to Architectural Surety® Education, SAND98- 
2086, Sandia National Laboratories, Albuquerque, NM, Septem- 
ber 1998. 


. Matalucci, R. V., “Architectural Surety® Tutorial,” Innovative 


Technology for Disaster Mitigation: An Architectural Surety® 
Conference, Washington, DC, October 27—29, 1999. 


. Matalucci, R. V. and Miyoshi, Dennis S., “An Introduction to the 


Architectural Surety® Program,” Proceedings of the Conference 
on Architectural Surety®: Assuring the Performance of Buildings 
and Infrastructures, Sandia National Laboratories, Albuquerque, 
NM, May 14—15, 1997. 


. Sandia National Laboratories, ZAPOTEC reference Albuquerque, 


NM, May 2000. 

U.S. Army Corps of Engineers, Anti-Terrorism Planner (AT Plan- 
ner), Engineering Research and Development Center (ERDC), 
Vicksburg, Mississippi. 

“Vehicle Borne Improvised Explosive Device (VBIED),” ATF Vehi- 
cle Bomb Table, http://www.nationalhomelandsecurityknowledge- 
base.com/Research/International_Articles/VBIED_Terrorist_ 
Weapon_of_Choice.html. 


9.8 EXERCISES 


. Describe the two major elements that are used in the risk reduction 


process, and indicate why reducing the likelihood of an attack is 
difficult, ifin any way possible. 


. What extent of the risk assessment effort is necessary before any 


risk reduction technique can be determined? 


. Where does the decision maker(s) come into the risk assessment 


process, and what data is required before any decision can be made? 


. What are the three physical security functions that must be 


addressed to improve protection system effectiveness in order to 
reduce risk? What are the three cyber-security functions that must 
be addressed to improve protection system effectiveness? 


. List some of the possible consequence mitigation strategies. 


1. What are possible consequence mitigation methods for each 
strategy? 


152 РАКТ ОМЕ 


2. Describe why they are or are not as useful in reducing risk. 

6. List some of the recovery strategies that might be useful for build- 
ings and facilities, and describe what actions need to be taken to 
ensure that the described risks are reduced. 

7. Why and where would a blast analysis be required, and how would 
the decision be made to proceed with recommended hardening 
against a potential attack? 

8. What are the three different types of blast analysis calculations 
that can be performed, and where and how would each be applied? 


Сһарїег 10 


Evaluating Impacts 


The first requirement of a recommended security risk reduction 
strategy is that it does indeed reduce security risk, ideally to the 
acceptable level defined by the site. The next consideration is most 
likely to be the cost of implementing the recommended package. 
Implementation of security risk reduction strategies or packages 
may also impact several areas of the facility, such as operations 
and schedules. Often the response of the public may be a con- 
sideration in the appropriateness of a particular risk reduction 
strategy. There may be building- or facility-specific impacts that 
management will consider when making risk management deci- 
sions. These impacts can be anticipated, and evaluations of the 
relative severity of the impacts are included in the process because 
these impacts are significant considerations for risk management 
decision makers. Impacts are evaluated as High, Medium, or Low, 
with these categories defined by the site. 


10.1. RISK LEVEL 


Risk can be reduced by decreasing one or more of the three fac- 
tors in the risk equation, namely likelihood of attack, protection 
system ineffectiveness, or consequences. Measuring the amount 


Security Risk Assessment and Management: A Professional Practice Guide for Protecting Buildings and Infrastructures 
B. E. Biringer, R. V. Matalucci and S. L. O’Connor © 2007 John Wiley & Sons, Inc. ISBN: 978-0-471-79352-6 


153 


154 РАКТ ОМЕ 


of reduction for likelihood of attack afforded by a risk reduction 
strategy is difficult because human behavior is notoriously vari- 
able and thus hard to predict with confidence. Risk reduction 
strategies most often focus on upgrading the protection system 
(to reduce system ineffectiveness) or reducing the consequences 
of a successful attack. Reductions in the likelihood of attack may 
well be associated with these strategies, but credit for any reduc- 
tion in likelihood of attack cannot be taken because it cannot be 
mathematically demonstrated. 

The obvious question is whether or not the risk reduction pack- 
age will lower the risk value, and if so, by how much. The effect 
of a risk reduction strategy or package on the risk level of the 
building or facility is estimated by using the relevant risk assess- 
ment steps — threat analysis, consequence analysis, and/or system 
effectiveness assessment — to estimate the new security risk if the 
strategy or package were implemented. 

ASDs should be reviewed to ensure that proposed protection 
system upgrades affect all paths. It is important that the most- 
vulnerable adversary path for the upgraded system be adequately 
protected. For example, if during the upgrade process, the pro- 
tection objective includes detecting the intruder at the property 
boundary, every penetration of the boundary must have a means of 
detection. Likewise, all paths should have adequate delay. Some- 
times placing delay features at the critical asset allow all paths 
to be affected. Reviewing the ASDs helps prevent overlooking the 
protection of any penetrations. 

The protection system effectiveness for the upgraded system 
(intended to reduce system ineffectiveness) must be estimated. 
The same process used in Chapter 7, “System Effectiveness,” to 
estimate the effectiveness of the existing or baseline protection 
system and to identify any site-specific vulnerabilities is now used 
to estimate the effectiveness of the upgraded protection system in 
reducing or eliminating the identified vulnerabilities. 


Evaluating Impacts 155 


















































Path Elements for Most Detection Level Delay Time (Seconds) 

Vulnerable Scenario Baseline Upgrade Baseline Upgrade 

Gate (pedestrian) Low 0 

РгорепуАгеа И 

Door (pedestrian) Medium 30 

Building Interior Area 3.5 

Door (pedestrian) Medium 10 

Control Room Area 0 

Тазк а! Тагде! Medium 15 

Delay Time After Detection A: 28.5 sec A: 28.5 sec 

Response Time В: 300 ѕес В: 300 ѕес 

Estimated Baseline System Effectiveness Level Baseline System Effectiveness: 

Estimated Upgrade System Effectiveness Level Low Upgrade System 

A<B, System Effectiveness = Low Effectiveness: 

A~B, System Effectiveness = Medium 

A>B, System Effectiveness = High 








Figure 10.1 Example Summary Form for Comparing Estimated 
Protection System Effectiveness (PE) Values for Upgrade Package to 
Baseline Protection System Effectiveness Values. 


Figure 10.1 shows a form that can be used to summarize the esti- 
mation of Pg for the upgraded system. Also, consequence values 
associated with each undesired event, as developed in Chapter 5, 
“Consequence Analysis,” should be reviewed to determine the 
effects of the consequence reduction features. Figure 10.2 shows a 
form that can be completed to compare the example baseline con- 
sequences for undesired events to the consequences for the same 
hypothetical undesired events occurring with the recommended 
upgrade package implemented. Use the site-specific Reference 
Table of Consequences and relative consequence values for unde- 
sired events developed in Chapter 5, “Consequence Analysis,” to 
estimate the consequence values for each recommended package. 

Figure 10.3 shows a worksheet that can be used to record the 
likelihood of attack, system ineffectiveness, consequence, and esti- 
mated risk values for each risk reduction package by adversary type 
and undesired event. Such detailed records provide an excellent 
paper trail for quality control purposes as well as documenting the 
risk assessment. 


156 


РАКТ ОМЕ 





Measure of Consequence 


Consequence Severity 


































































































Val By Type By Event 
Undesired Event = аце H/M/L H/M/L 
уре Вазе- Up- а Base- Up- |Base- Up- 
line grace line grade |їпе grade 
Disruption of Economic loss (property $3M M 
Operations loss + revenue) 
(sabotage of vital | Economic loss (users) 0 L 
equipment by cyber-| Deaths 0 L 
attack) Geographic Impact Local L 
Public confidence 6mo H 
Enter 
highest H 
conse- 
quence 
Theft of Valuable | Economic loss (property $3M M 
Asset(s) loss + revenue) 
precious metals) _|Economic loss (users) 0 L 
Deaths 0 L 
Geographic Impact Local L 
Public confidence 1 day L 
Enter 
highest 
conse- М 
quence 
Crimes against Economic loss (property 0 E 
People loss + revenue) 
(hostage situation) | Economic loss (users) 0 L 
Deaths 0-1 Е 
Geographic Impact Local L 
Public confidence None 
Enter highest L 
consequence 

















Figure 10.2 Example Summary Form for Comparing Estimated 
Consequence (C) Values for Upgrade Package to Baseline Consequence 


Values. 


Finally, the summary form provided in Figure 10.4 compares 


the baseline (or original) system risk to the upgraded system risk 


for the threat groups that apply. This summary form should be 


prepared for each recommended risk reduction strategy. 


Evaluating Impacts 157 















































Measure of Consequence Consequence Severity 
By Type By Event 
Undesired Event Value На И 
Туре Base- Up- а U 
line grade Бале Ж Ыр Ор 
line grade line grade 
Destruction of Economic loss (property | $7M H 
Building loss + revenue) 
(vehicle bomb) Economic loss (users) 0 | 
Deaths 10-20 H 
Geographic Impact Local L 
Public confidence 6 mo. H 
Enter highest H 
consequence 




















Figure 10.2 (continued) 





RISK CALCULATION WORKSHEET (RISK REDUCTION PACKAGE) 

















ADVERSARY TYPE 
Date: Recorded by: 
Facility Identifier: Package Identifier: 
Undesired Event РА с 1-РЕ RISK 





Disruption of Operations (sabotage of vital 
equipment by cyber-attack) 


Theft of Valuable Asset(s) 
(precious metals) 








Crimes against People 
(hostage situation 





Destruction of Building 
(vehicle bomb) 























Figure 10.3 Example Risk Calculation Worksheet for Risk Reduction 
Packages. 


10.2 COSTS 


Probably the single most important impact (after reducing secu- 
rity risk) of implementing security risk reduction packages is 
the cost. While a detailed and precise cost estimate would be 
premature, costs for packages will be compared by management 
decision makers. The dollar cost of packages will be assigned a 
value of High, Medium, or Low, with each category representing 


158 РАКТ ОМЕ 





SYSTEM RISK COMPARISON (Original vs. Upgraded) Summary 
Date: Recorded by: 
Facility Identifier: Package Identifier: 


RISK VALUES, by Adversary 











Original Upgraded 


System — >| System 


Adversary —>| Terrorist 

















International 
Domestic 
Militia/Paramilitary 
Extremists 
Criminals 

Gangs 

Vandals 

Insiders 

Other 


| Undesired Event 

1. Disruption of 
Operations 
(sabotage of vital 
equipment by cyber- 
attack) 

2. Theft of Valuable 
Asset(s) (precious 
metals) 

3. Crimes against 
People (hostage 
situation) 

4. Destruction of 
Building (vehicle 
bomb) 




























































































Figure 10.4 Example System Risk Comparison Summary Form. 


a range authorized by the risk manager or other management 
stakeholder. After costs are estimated for each proposed upgrade 
package, a means to record the costs for easy comparisons is use- 
ful. Figure 10.5 shows graphs that can be used to present costs for 
several packages. (As evident from figure, this format can be used 
for several impact areas, not just cost information.) 

The bar graph in Figure 10.5 can be shaded (manually or elec- 
tronically) with appropriate values to allow comparison of relative 
costs associated with upgrade packages: L = Low, M = Medium, 


Evaluating Impacts 


159 





IMPACTS OF SECURITY RISK REDUCTION PACKAGES 





















































Date Recorded by: 

Facility Identifier: 

Impact Level 

Circle level and shade graph below 

aS Package 1 Package 2 Package 3 Package 4 
no 

О 

о LMH LMH LMH LMH 
о, ДНИ 
25 

oo 

Бо L M H L M H L M H L M H 
25 
оф 

о © 
= LMH LMH LMH LMH 
5 Е 

о 
Бо 

Package 1 Package 2 Package 3 Package 4 


Figure 10.5 Displaying Relative Impacts of Multiple Risk Reduction 


Packages. 





























and H = High. Individual sites define the cost values for L, M, and 
H, thus allowing the decision makers to establish cost boundaries 


for the recommended risk reduction packages within the available 


resources. 


10.3 OPERATIONS/SCHEDULES 


Implementation of an upgrade package could have a negative 


impact on operations or schedules if it imposes delays or significant 


160 РАКТ ОМЕ 


changes in normal practices. An estimate must be made of the 
impact on operations imposed by the risk reduction package(s). 
The form shown in Figure 10.5 for recording costs can also be used 
to display the relative impacts to operations and/or schedules of 
the recommended risk reduction packages. For the example form 
shown in Figure 10.5, the middle bar can be shaded manually or 
electronically to compare disruptions to operations and/or sched- 
ule for the protection system upgrade package(s) and consequence 
mitigation packages recommended to reduce the estimated secu- 
rity risk. On this form, L = Low, M = Medium, and H = High; 
individual sites define the impact values for L, M, and H in 
order to render this comparison more valuable for decision su- 


pport. 


10.4 PUBLIC OPINION 


Public opinion or political relations can be sensitive to some risk 
reduction packages. Credibility and acceptance by the public are 
important. An estimation of the impact on public opinion imposed 
by the upgrade package(s) must be made. Figure 10.5 can be used 
to compare the impacts of each risk reduction strategy on public 
opinion, using the relative terms L, M, and H. Decision makers 
or risk managers at the building or facility of concern define the 
impact values for L, M, and H. 


10,5. “OTHER SITE-SPECIFIC CONCERNS 


Risk reduction packages could cause concerns that are site-specific. 
Some of these could be impacts on facility reliability, rate payer vs. 
the taxpayer issues, political sensitivities, environmental concerns, 
and the like. The risk analysis should identify any other sensitive 
issues that could result from upgrading the protection system or 
reducing the consequences of a malevolent attack. The graphs in 
Figure 10.5 could be labeled and completed for any site-specific 
concerns. 


Evaluating Impacts 161 


10.6 REVIEW THREAT ANALYSIS 


To this point, the project-specific threat has been used for the anal- 
ysis. After reviewing the comparative risk values for the upgraded 
system and the baseline system and the results of the impact anal- 
ysis of the risk reduction packages, a subset of the project threat 
may be selected for the design threat. It may not be possible to 
reduce the risk to an acceptable level by upgrading the protec- 
tion system or reducing the consequences. The impact of cost or 
any of the other parameters may require that a lesser threat be 
addressed. This revised threat spectrum is a decision that speci- 
fies what will be protected against at this time. For example, if a 
risk reduction package is selected for implementation, the decision 
may be made to establish the design threat as the adversarial 
groups that are addressed by that particular upgrade package. 
The remainder of the threat spectrum would then be addressed 
permanently on a future schedule and addressed immediately by 
contingency security measures. 

Complete Figure 10.6 to summarize the revised threat if it is 
different from the project-specific threat. 





Revised Threat Description 














Date: Recorded by: 
Facility Identifier: 
Type of ` p z 
Adversary Number | Equipment Vehicles Weapons Tactics 



































Figure 10.6 Revised Threat Description Form. 


162 РАКТ ОМЕ 


10.7 SUMMARY 


The risk reduction strategies and packages recommended to reduce 
the security risk at the subject building and facility do not exist 
in a vacuum. Implementing an upgrade to the protection system 
to prevent a successful adversarial attack or mitigating the con- 
sequences of a successful attack will have impacts at the facility 
or building beyond the security realm. These impacts must be 
analyzed as they affect risk management decisions. The risk level 
before and after implementation should be reviewed to ensure that 
the risk reduction strategy or strategies to be implemented do, in 
fact, reduce risk to an acceptable level. Other impacts to be ana- 
lyzed include costs, operations and schedules, public opinion, and 
other impacts that are specific to the site. This chapter provides 
tools for analyzing those impacts. 

In the event that the impact analysis shows that risk reduction 
strategies implemented at the building or facility are not adequate 
to reduce the security risk to the acceptable level for the site-specific 
threat, a subset of the threat may be selected to be addressed at 
the current time. The balance of the site-specific request would be 
addressed as soon as possible. 


10.8 REFERENCES 


1. Biringer, Betty, “Risk Assessment Method for Electric Power 
Transmission,” presented at Carnahan Conference on Security 
Technology, sponsored by IEEE, Albuquerque, NM, October 
2004. 

2. Sandia National Laboratories Security Risk Assessment Method- 
ologies, http://www.sandia.gov/ram. 

3. Matalucci, Rudy and Strothman, John, “Security Risk Assess- 
ment Procedures: Countering Terrorism and Other Threats,” 
Infrastructure Security Course sponsored by ASCE and San- 
dia National Laboratories, Las Vegas, NV, January 26-27, 
2006. 


Evaluating Impacts 163 


10.9 EXERCISES 


. Why is it necessary to consider impacts that are not related to 
security issues when considering security risk reduction schemes? 
. List several examples of possible site-specific impacts of security 
risk reduction schemes. 

. If security risk cannot be reduced to an acceptable level by upgrad- 
ing the protection system, what other alternatives are there? 


Chapter 11 


Risk Management Decisions 


This risk assessment process was developed to support risk man- 
agement decision makers. At this point in the Security Risk 
Assessment and Management Process, two steps remain: gen- 
eration of a report of risk assessment results for presentation to 
management and risk management decisions. 


11.1 INTRODUCTION 


The security risk assessment effort culminates in the presentation 
of the results to the decision makers or other requesting man- 
agement representatives. The decision makers are provided with 
the description of the threat, an estimate of the current security 
risk, recommendations for reducing that risk, and an analysis of 
the impacts of implementing each potential risk reduction pack- 
age, including an estimation of the reduction in risk afforded by 
each package. All supporting documentation is provided to the 
decision makers. 

The site-specific estimated security risk to the subject facility 
is an accurate and thorough snapshot in time. If the security 
risk is deemed to be too high for any given undesired event or 
threat, the guidance on reducing risk provides information on the 


Security Risk Assessment and Management: A Professional Practice Guide for Protecting Buildings and Infrastructures 
B. E. Biringer, R. V. Matalucci and S. L. O’Connor © 2007 John Wiley & Sons, Inc. ISBN: 978-0-471-79352-6 


165 


166 РАКТ ОМЕ 


effectiveness of various risk reduction strategies and packages and 
the nonsecurity impacts of implementing each strategy or package. 

The purpose of the security risk assessment is to provide the 
information necessary to support risk management. The decision 
maker reviews this material, perhaps asking for clarification or 
further detail, and determines whether the identified estimated 
security risk at the building or facility is within an acceptable limit 
or requires reduction. 


11.2 RISK ASSESSMENT RESULTS 


To support the decision makers with adequate information, the 
assessment team presents the estimation of security risk at the 
facility or building, recommended risk reduction strategies and 
packages, all supporting documentation, and all assumptions that 
were made in order to complete the risk analysis. This material 
is usually presented in a briefing, which affords decision makers 
the opportunity to request clarification or additional data and ask 
any questions about the assessment, including its assumptions, 
conclusions, recommendations, and supporting data. 

In addition to the briefing presentation, a final report summa- 
rizes the security risk assessment performed at the facility. The 
results of the assessment and any proposed mitigation efforts are 
presented in the report, which contains sensitive information that 
must be protected. This documentation provides information that 
can be used by management to support resource allocation deci- 
sions. The final report is a snapshot of the comparative risk values 
for a specific facility from specific threats at a specific point in time. 
The format for the final report consists of the following sections: 


e Executive Summary 

e Introduction 

e Threat Analysis 
Consequence Analysis 


e System Effectiveness Assessment 


Risk Management Decisions 167 


e Risk Estimation 

e Risk Reduction Strategies and Packages 
e Impact Analysis 

e Supporting Documentation 


A brief description of the contents of each of these sections is 
provided below. The results discussed in this report support the 
recommendations, and the underlying effort that provided the 
summary information is available in the completed site-specific 
work products. 


11.2.1 Executive Summary 


This one- or two-page summary provides a very brief overview of 
the subject site-specific risk assessment and management process. 
At a minimum, the work that identified the likelihood of attack 
by an adversary, the consequences of such an attack, and the 
effectiveness of the existing security system in preventing such 
an attack should be summarized in the Executive Summary. A 
summary description of the recommended risk reduction packages 
and the associated impacts should be included. Be sure to include 
summary significant findings in this section, as it is likely to be the 
most widely read section of the report. 


11.2.2 Introduction 


This is a very short section that explains: 


e The rationale for performing security assessments on facil- 
ities (increasing incidents, Presidential Decision Directives, 
management decisions, collective concern of regulating bod- 
les, etc.). 

e The sensitivity of the data included in the report and the 
requirement to protect the information. Specify that the fault 
tree and any other extremely sensitive material omitted from 
the final report can be viewed on a need-to-know basis. 


168 РАКТ ОМЕ 


e Why this facility was selected (high-profile facilities, threats 
have been received, incidents of vandalism or crime have 
increased, formal or informal screening by management, 
demonstration purposes, etc.). 

e A very short description of the facility, focusing on any 
security issues (incidents, concerns, upgrades, failures, etc.). 

e An introduction to the risk equation and its components. 

e The structure of the report (Executive Summary, Introduc- 
tion, Threat Analysis, Consequence Analysis, System Effec- 
tiveness Assessment, Security Risk Estimation, Security 
Risk Reduction Strategies and Packages, Impact Analysis, 
and Supporting Documentation). 


11.2.3 Threat Analysis 


Likelihood of attack is the first component of the risk equation. 
Two aspects of likelihood of attack are discussed in the final report: 
the site-specific threat and a summary of the threat analysis. 

List the various adversaries identified as potential threats to 
the facility. Work products specifying further information on the 
number of people in the adversary group, the types of equipment 
available to them, any vehicles or weapons the adversary might 
have, and the tactics to be expected from the adversary should 
be included in the supporting documentations for each adversary 
identified at this particular facility. Identify the most significant 
of the undesired events and include all work products in the 
supporting documentation. 

The reader is referred to supporting documentation for more 
information. 


11.2.4 Consequence Analysis 


Consequence is the second component estimated for the risk 
equation. The final report discusses the values (High, Medium, 
or Low) assigned to the consequence of an undesired event occur- 
ring. The undesired events are plotted against the likelihood of 


Risk Management Decisions 169 


attack by each of the adversaries threatening the facility. The 
most significant of these undesired events are identified. 

The reader is referred to the supporting documentation for more 
information and the complete summary. 


11.2.5 System Effectiveness Assessment 


Security system effectiveness is the third and last component 
estimated for the risk equation. Five aspects of the protection sys- 
tem effectiveness are discussed in the final report: high-priority 
undesired events; a site-specific ASD that models the physical pro- 
tection system at the facility by identifying the adjacent physical 
areas between offsite and each critical asset, including any sys- 
tem features, such as a door or a wall, between adjacent areas; 
selected adversary scenarios; a cyber diagram that models the 
cyber-protection system at the facility; a site-specific vulnerabili- 
ties summary; and a table that summarizes the security system 
effectiveness at the facility. 

The final report should include a narrative description of any 
significantly easy, likely, or damaging adversary scenario. It should 
identify and include a narrative description of any significantly 
easy, likely, or damaging adversary scenarios/undesired event/ 
system vulnerability combinations. 

The reader is referred to supporting documentation for more 
information. 


11.2.6 Risk Estimation 


The three variables of the risk equation — likelihood of attack, 
consequence, and protection system ineffectiveness — have been 
defined, described, and assigned values so that a relative security 
risk value can be calculated for each identified medium- or high- 
priority undesired event. A narrative discussion about the relative 
risks and whether such levels of risk are acceptable to management 
should be included in the final report. (Threshold risk levels are 
usually specified at the onset of the assessment.) 


170 РАКТ ОМЕ 


The reader is referred to the supporting documentation for more 
information. 


11.2.7 Risk Reduction Strategies and Packages 


If the security risk is deemed to be unacceptably high for any given 
undesired event or threat, the efforts undertaken to identify ways 
to reduce the risk should be described. 

Upgrades to increase security system effectiveness for each unde- 
sired event must take into consideration the PPS functions of 
detection, delay, and response and the cyber-protection functions 
of authentication, authorization, and audit; ways to increase these 
capabilities are suggested. Upgrades to decrease the consequence 
of an undesired event occurring are developed if it proves impos- 
sible to prevent an adversary from causing an undesired event. 
The final report should include a narrative description of an adver- 
sary/undesired event combination with a significant reduction in 
risk associated with an upgrade package. 

The upgrade package or packages that provide the most sig- 
nificant reduction in risk with the least negative impact are 
recommended. Both short-term and long-term upgrades may be 
recommended. These recommendations are intended to provide 
decision-support information for management, so it is important to 
justify the recommendations, based on collected and analyzed data. 

The reader is referred to the supporting documentation for more 
information. 


11.2.8 Impact Analysis 


The final report provides a summary comparison among upgrade 
packages under consideration. Relative values for costs, impacts 
on operations and schedules, and public opinion are assigned so 
that the impact of various upgrade packages can be compared. The 
final report should include a narrative description of the summary 
comparison of the impacts of potential upgrades. 


Risk Management Decisions 171 


If the impacts appear to be limiting, a threat level description 
against which the upgraded protection system or consequence 
reduction package will be effective may be developed. It may not be 
feasible to protect against the site-specific threat, but some subset 
of that threat can be reflected in this threat level description. 

The reader is referred to the supporting documentation for more 
information. 


11.2.9 Supporting Documentation 


All work products and supporting documentation should be orga- 
nized and presented in appendices, with the exception of fault trees 
and other sensitive information, which should be protected. This 
sensitive material may be viewed upon request by decision makers 
with a demonstrated need to know. 


11.2.10 Report Overview 


This report provides the data required to support security man- 
agement decisions. In addition, the report and its supporting 
documentation provide a way to trace accountability, a base- 
line record, and site-specific data with potential application to 
other problems or issues beyond security. Should the threat, the 
mission or consequences, or the security system change at the facil- 
ity, the report provides information that will greatly reduce the 
level of effort required for subsequent assessments. The baseline 
record will also be very helpful for such other issues as changed 
requirements, resources, emphases, and/or management. 


11.3) RISK MANAGEMENT DECISIONS 


Risk programs use a combination of risk financing and risk control 
tools to manage the risk. Risk financing is primarily insurance. 
Risk control includes: 


e Risk avoidance, which is accomplished by eliminating the 
source of the risk. Moving hazardous material out of a 


172 


РАКТ ОМЕ 


building that cannot adequately protect it to a building 
specifically designed to protect hazardous material is an 
example of risk avoidance. 

Risk reduction, which is achieved by taking action to lower 
risk to the building or facility to prevent or reduce the sever- 
ity of the loss. This is the goal of many security programs — to 
lower risk by implementing security measures or, if the 
attack cannot be prevented, to mitigate the consequences of 
the attack. 

Risk spreading, which is accomplished by having similar 
services/processes/assets at more than one facility site. By 
separating assets, fewer assets are placed at risk during any 
given adversary attack. 

Risk transfer, which is the use of insurance to cover the 
replacement or other costs incurred as a result of the loss. 
Risk acceptance, which is the recognition that there will 
always be some residual risk and, in some cases, it nay be 
more cost-effective to live with the risk than to reduce it. 


Deciding the appropriate response to an identified risk is the 


bailiwick of risk managers. The key to a successful decision is 


knowingly determining a risk level that is acceptable, rather than 


unwitting acceptance of an existing amorphous risk. The purpose 


of the risk assessment is to provide the decision makers with the 
information they need to make and support good decisions. 

Informed by the risk assessment data, the risk manager can 
better choose whether to: 


Accept the risk. A risk manager might select this option 
when the consequences of an attack or undesired event 
are less costly in some way than preventing the attack or 
mitigating the result. 

Buy more insurance. If the consequences are less than dev- 
astating, this could be a cheaper way to manage risk. 


Risk Management Decisions 173 


Request further analysis. Different assumptions or informa- 


tion may yield a more informative or useful analysis. 

e Reduce risk. Risk can be reduced by increasing protection 
system effectiveness or by mitigating consequences. Con- 
sequence mitigation usually involves people, procedures, 
policies, training, and equipment. Consequence mitigation 
is an appealing choice for a building or facility because gen- 
erally it is a more cost-effective approach for reducing risks 
than buying physical protection technologies. 

Establish a threat-level description that describes a subset 
of the site-specific threat that can be protected against right 
now, with plans for addressing the higher-level threats as 


resources permit. 

Develop a contingency protection system upgrade that can 
address a low-level threat all of the time and can be 
ramped up to address a higher-level threat when an ele- 


vation in the threat level occurs, such as an alert or 
emergency situation. 


The risk manager uses the information provided in the briefing 
and final report to determine the appropriate response to the 
security risk. This information is intended to provide them with 
the data necessary to make difficult decisions concerning resource 
allocations for managing security risk at the subject facilities 
or buildings 


11.4 ESTABLISH DESIGN THREAT 


One of the most important products of risk management decisions 
is to set the level of threat for which the security system upgrade 
will be designed. Historically this particular threat description is 
called the (design threat). The design threat may be the threat 
description used in the risk assessment or may be some modifica- 
tion of it. 


174 РАКТ ОМЕ 


11.5 SUMMARY 


The action items in Risk Acceptance or Mitigation belong to the 
decision makers. The role of the assessment team is to provide 
accurate security risk estimates and risk reduction strategies, sup- 
porting documentation, assumptions used in the assessment, and 
any other information required or requested to inform manage- 
ment decisions on the level of security risk that is acceptable at 
the particular site, building, or facility assessed and how best to 
achieve that acceptable level. 


11.6 REFERENCES 


1. Biringer, “Betty, Risk Assessment Method for Electric 
Power Transmission,” presented at (Carnahan Conference 
on Security Technology, sponsored by IEEE, Albuquerque, 
NM, October 2004. 

2. Sandia National Laboratories Security Risk Assessment Method- 
ologies, http://www.sandia.gov/ram. 

3. Matalucci, Rudy and Strothman, John, “Security Risk Assessment 
Procedures: Countering Terrorism and Other Threats,” Infrastruc- 
ture Security Course sponsored by ASCE and Sandia National 
Laboratories, Las Vegas, NV, January 26—27, 2006. 


11.7 EXERCISES 


1. What do you think is the most important factor driving risk man- 
agement decisions? 

2. Do you think that insurance is a reasonable approach to managing 
risk against an international terrorist adversary? What about a 
vandal? Where would you draw the line? What information would 
you need to make this decision? 

3. What other uses can you think of for the information in the final 
report? How often do you think risk assessments should be per- 
formed? What occurrences might trigger the need to update the 
security risk assessment? 


Сһарїег 12 


Summary 


This textbook has demonstrated an analytic process to qualitatively 
assess security risk. 

Application of the analytic process helps managers understand 
and manage the security risk for their facility, business, or indus- 
try. An overview of the Security Risk Assessment and Management 
Process is presented in this chapter. Figure 12.1 describes the 
process. 

First a risk assessment team, made up of subject matter technical 
experts, is established. After the entire risk assessment process 
has been completed by the team, management will receive a risk 
assessment package which will consist of a statement of the threat 
description, detailed analysis of the security risks, several options 
for reducing the risks to acceptable levels, and an impact evaluation 
on total costs, operations, schedules, and acceptability. 

The risk assessment process has ten required steps and two 
optional steps: 

Optional — Screening analysis to prioritize corporate assets 


1. Characterize the facility. 
2. Analyze the threat and estimate the likelihood of 
attack. 


Security Risk Assessment and Management: A Professional Practice Guide for Protecting Buildings and Infrastructures 
B. E. Biringer, R. V. Matalucci and S. L. O’Connor © 2007 John Wiley & Sons, Inc. ISBN: 978-0-471-79352-6 


175 


176 


РАКТ ОМЕ 














Optional Screening Facility Characterization 


У 











Analysis 








У 


Threat Analysis РА 











У 


Consequence Analysis || С 





























Optional 
ы Prioritization 
+ Analysis 
System Effectiveness |] P_ 
Assessment 








+ 


Risk Estimation R=P,*(1— P.)*C 















































f NO 
Risk Level - 
Р tation t 
Greater than Impact Analysis —| Мел: к, 
Threshold? g 
YES 


Risk Management 


: 5 Decision 
Risk Reduction Strategies — 











Figure 12.1 Security Risk Assessment and Management Process. 


3. 


Estimate consequences from the attack. 


Optional — Prioritization analysis to prioritize specific facility 


assets 

4. Assess the effectiveness of the physical and cyber- 
protection systems. 

5. Estimate relative security risk as a function of: 
a. Likelihood of attack 
b. Security system ineffectiveness 
c. Consequence 

6. Compare estimated risk level to threshold. 

7. Suggest risk reduction strategies, if estimated risk level 


is above threshold, followed by re-evaluating the conse- 
quences and protection system effectiveness to measure 
and ensure relative security risk reduction. 


Summary 177 


8. Analyze impacts of risk reduction packages. 
9. Present results to management. 
10. Risk management decisions are made. 


The risk assessment process begins with basic facts and assump- 
tions and each step builds on the previous step. The final results 
are defendable because they are traceable to the original facts, 
and assumptions have been documented. Results are repeatable 
and updates to any step are easily addressed without starting 
over. The risk assessment process can be adapted to assess the 
security risk for most entities. The security of dams, energy infras- 
tructures, chemical facilities, buildings, and communities has been 
enhanced by the application of the Risk Assessment and Man- 
agement Process. A summary of each step and its methodology 
follows: 

Optional — Screening Analysis 

A method is provided to aid owners with many facilities requiring 
security analysis. The reference parameter for the screening anal- 
ysis is consequence level. First, a common set of undesired events 
is established to be compared for all of the facilities. Next, a rough 
estimate of consequence level is made for each undesired event 
for each facility. Then facilities are ordered based on the number 
of occurrences of the highest level of consequences. Owners can 
use this method to decide whether or not all of their facilities 
need to be reviewed immediately or to prioritize their facilities and 
analyze their most critical buildings first if time and resources are 
limited. 


12.1 FACILITY CHARACTERIZATION 


The products of an effective facility characterization are 


e Complete facility description 
e List of undesired events 


178 РАКТ ОМЕ 


e List of critical assets to be protected to prevent undesired 
events 
e List of protection objectives for the security system 


To develop these products, the risk assessment team begins their 
analysis of each facility by collecting and evaluating the follow- 
ing information: physical details; cyber-information-system details, 
facility operations, existing security protection systems, workforce 
description, and restrictions, requirements, limitations (generally 
regarding codes, compliance, and law). Any security level reduction 
measure, used to thwart attack of the critical assets, will usu- 
ally include as its primary objectives, prevention of the following 
undesired events: 


e Disrupting normal work operations 

e Compromising the structural integrity of the building 
e Compromising the health and safety of occupants 

e Disabling or misusing the utilities 

e Disabling or misusing the HVAC 

e Disabling or misusing the emergency systems 


With detailed information about the facility and identification of 
the protection objectives, a site-specific logic diagram, or fault 
tree, can be created and used to determine all the ways undesired 
events may occur at a particular facility and the critical assets 
to be protected. Once developed, the fault tree will represent 
the components and subsystems of events that can result in a 
specified undesired event. Identification of the assets critical to the 
operations’ components and subsystems will logically reveal which 
assets must be protected in order to prevent the undesired event. 


12.2 THREAT ANALYSIS 


The threat analysis is usually completed by a threat special- 
ist who has established ties and maintains contact with local, 


Summary 179 


state, and federal law enforcement agencies, such as the Federal 
Bureau of Investigation (FBI). The five steps in the threat analysis 
process are: 


Collect information on the potential threat 


e Derive an adversary spectrum for a given building, vicinity, 
or industry 

e Describe adversary capabilities 

e Estimate the threat potential for attack for specific adver- 
sarial groups for a given asset 

e Define the adversarial threat for a given entity 


In general, the adversary spectrum consists of outsiders and 
a single insider, who can be international terrorists, domestic 
terrorists, criminals, extremists, vandals, foreign intelligence per- 
sonnel, psychotics, and anyone with knowledge of operations or 
security systems and who has unescorted access to facilities 
or security interests. Such information as motivation, tactics, 
intelligence-gathering means, targets of interest, expected number 
in group, equipment, transportation, weapons, explosives, techni- 
cal skills/knowledge, financial resources, and potential for collusion 
with an insider is collected by the threat analysis and used to esti- 
mate the likelihood or potential of attack. The insider threat is 
defined in terms of job position and the privileges, knowledge, and 
access to assets and the security system afforded by the position 
that could be exploited. 

A qualitative relative methodology can be applied to assess 
threat potential. Three factors must be considered in this analysis: 
adversary capability, adversary history/intent, and relative attrac- 
tiveness of asset to adversary. Once this information has been 
collected and interpreted, numerical scores can be applied and all 
the scores summed and partitioned into the likelihood of attack 
ranges of Low, Medium, High, and Very High. Results of the threat 
analysis are a definition of the threat spectrum and the values 


180 РАКТ ОМЕ 


used to estimate the first parameter of the security risk equation: 
Likelihood of Attack, P4. 


12.3 CONSEQUENCE ANALYSIS 


Consequence Analysis estimates the value of a particular conse- 
quence for each undesired event for a given facility. From such 
measurable criteria as deaths, economic impacts, loss of assets, 
environmental damage, etc., it becomes possible to develop a Ref- 
erence Table of Consequences as an objective tool. As many specific 
quantitative elements, such as numbers of people, dollar amounts, 
and the like, must be supplied for each applicable consequence. 
Military and industry standards can be used to supply early num- 
bers. From the type of consequence and its extent of impact, the 
severity of the consequence, that is, High, Medium, or Low, can be 
deduced. The value estimates the second parameter of the security 
risk equation: Consequence, C. 

Optional — Prioritization Analysis 

Likelihood of attack and consequence level can be used for 
building owners to identify the assets in their building that 
have a high likelihood of being attacked and represent a high 
level of consequences if lost. A prioritization matrix for the site 
can be constructed by plotting the ordered pairs of threat likeli- 
hood of attack against the consequences of successful attack for 
the most critical adversary group(s). The matrix can be used to 
help management prioritize either a number of different unde- 
sired events for a given facility or prioritize critical assets of 
the facility. 


12.4 SYSTEM EFFECTIVENESS ASSESSMENT 


The objective of system effectiveness assessment is to estimate the 
effectiveness of the protection system, both physical and cyber- 
systems, to meet the protection objectives specified during facility 


Summary 181 


characterization. Effectiveness assessment begins with postulated 
adversarial strategies to accomplish the undesired events that can 
be derived from the site-specific fault tree. Using the strategies, 
ASDs, site information, and the expert opinion of the analysis team, 
adversary scenarios can be suggested that are optimum from the 
adversary’s point of view because they take advantage of system 
weaknesses and paths that are the least protected and easiest to 
accomplish. These adversary optimum scenarios are assumed to 
be the most vulnerable and are used to estimate the effectiveness 
of the protection system. 

Some undesired events may be accomplished by a physical 
attack, some by a cyber-attack, and others by either type of attack. 
A system effectiveness analysis is completed for all attack modes 
that are applicable. For the physical protection system effective- 
ness assessment, the effectiveness and integration of the detection, 
delay, and response functions are used. Simple protection systems 
can be evaluated simply by checking for missing or weak fea- 
tures for any one of the three physical protection functions. For 
complex physical protection systems, the feature detection and 
delay times in Appendix C, “System Effectiveness Worksheets” 
are used to estimate system delay time after reliable detection 
to estimate whether or not the adversary could be interrupted 
before the undesired event is accomplished. If the adversary time 
is less than the response time, system effectiveness is judged 
to be low. 

For cyber-protection system assessment, the effectiveness of the 
system features for the authentication, authorization, and audit 
function are estimated for cyber-paths to the critical assets. 

Insider threat is more difficult to prevent and requires an invest- 
ment in personnel screening, physical protection, cyber-protection, 
and operations security. 

Finally, whenever protection system effectiveness is judged 
to be low, site-specific vulnerabilities are identified. The list 


182 РАКТ ОМЕ 


of site-specific vulnerabilities is valuable later for suggesting 
risk reduction strategies if the security risk is deemed to be 
too high. The third parameter for estimating security risk is 
system ineffectiveness, 1— Pz, the complement of system effec- 
tiveness. 


12.5 RISK ESTIMATION 


Estimating relative security risk requires combining the three 
security risk parameters (likelihood of adversary attack, system 
ineffectiveness, and the consequences of the adversary’s success). 
The traditional security risk equation (below) provides a refer- 
ence level of risk (Very High, High, Medium, Low and Very Low) 
that is estimated for comparison purposes. Security risk is dif- 
ficult to quantify because the three parameters of the equation 
are not random variables, and they are not independent vari- 
ables, thus the mathematical rules do not allow values to be 
multiplied. 


Risk = P4 * (1 — Pg)*C 

P4 = Likelihood of attack 

Pr = System effectiveness 

(1 — Pz) = System in-effectiveness 


C = Consequence 


Associating numbers with the levels and deriving a quantitative 
value for the risk level is a temptation that should be avoided. 
Instead logic and expert judgment should be applied to estimate 
security risk levels based on the assessment-derived values for 
likelihood of attack, system ineffectiveness, and consequences. 
The estimated security risk value provides risk managers with a 
valuable baseline measure of security risks that can be used to 
make informed risk management decisions. 


Summary 183 


12.6 COMPARISON OF ESTIMATED RISK LEVEL TO 
THRESHOLD 


Estimated risk levels are compared to a predetermined risk 
threshold to decide whether further analysis is required. The 
threshold is determined by the analysis team and security risk 
managers; the threshold level is a strict upper bound on the 
security risk level that would be considered acceptable to stake- 
holders. 


12.7. RISK REDUCTION STRATEGIES 


If security risk estimates are greater than the threshold, risk 
reduction strategies are explored. Risk reduction strategies focus 
on two of the three parameters of the security risk equation, namely 
system ineffectiveness and consequence. Likelihood of attack is not 
included because of the unpredictability of deterrence in measuring 
and predicting the duration of its effectiveness. 

Reducing system ineffectiveness means increasing protection 
system effectiveness. The easiest way to increase system effective- 
ness is to review, summarize, and organize the list of site-specific 
vulnerabilities identified in system effectiveness assessment and 
then select protection feature upgrades to remove or secure the 
vulnerabilities. ASDs are reviewed to ensure that all vulnerable 
paths are covered by the upgrades. Both the physical and cyber- 
protection systems may be involved based on the nature of the 
vulnerabilities. Upgrade features will provide protection for the 
detection, delay, and response functions for physical protection 
and protection for the authentication, authorization, and audit 
functions for the cyber-protection system. 

Upgrade features may be grouped in to packages dependent on 
threat level and specific concerns and conditions of the building 
or corporation. Usually three or more different upgrade packages 
are developed. Each upgrade package is then analyzed for sys- 
tem effectiveness. If system effectiveness is estimated to be High, 


184 РАКТ ОМЕ 


especially, the upgraded system would be expected to prevent the 
undesired events; an impact analysis is completed for the upgrade 
package(s). If the system effectiveness is not high enough to pre- 
vent the undesired event, consequence mitigation strategies are 
postulated. Consequence mitigation strategies might include one 
or more of the following: 


e Construction hardening 
e Redundancy/backup 

e Optimized recovery 

e Emergency planning 


Consequence mitigation elements can be grouped into upgrade 
packages and consequence analysis repeated to ensure the con- 
sequence level has been reduced. A new security risk level can 
be estimated for the upgrade packages comprised of improved 
system effectiveness features and consequence mitigation ele- 
ments. System effectiveness assessment, consequence analysis, 
and risk estimation steps are then repeated to ensure security 
risk reduction. 

The estimated risk level is compared to the threshold; if the 
estimated risk is below the threshold, an impact analysis is com- 
pleted. If the estimated risk level is above the threshold, additional 
features are suggested and then system effectiveness assessment, 
consequence analysis, and risk estimation steps are repeated. The 
cycle continues until the estimated risk level is estimated to be 
below the threshold. 


12.8 ANALYSIS OF IMPACTS IMPOSED BY RISK 
REDUCTION UPGRADE PACKAGES 


An analysis is completed to evaluate potentially important impacts 
imposed on the building or facility by the system upgrade packages. 
Impacts to be evaluated are based on sensitivities and specific 


Summary 185 


site concerns and conditions. Impacts analysis generally estimates 
impacts on security risk level, costs, operations, schedules, and 
acceptability by staff or the public. Risk managers need to know 
and understand important potential impacts imposed by the risk 
reduction strategies in order to make risk management decisions. 


12.9 PRESENTATION TO MANAGEMENT 


The final step in the risk assessment process is the preparation 
of a report of risk assessment results and a presentation package 
for the risk managers and stakeholders. The analysis team will 
prepare and present the risk assessment summary. The presen- 
tation generally includes the threat description, the security risk 
estimates for the baseline system, descriptions of any risk reduc- 
tion packages, and the results of the impact analysis for the risk 
reduction package(s). By comparing this to the baseline risk levels, 
managers are able to understand what the upgrade package is 
buying them in risk reduction as well as other potential impacts. 
The total information package provides invaluable information for 
risk management decision makers. 


12.10 RISK MANAGEMENT DECISIONS 


Building owners, stakeholders, and risk managers have the risk 
assessment information package to help them make difficult secu- 
rity decisions. Several different decision outcomes are possible: 


e Accept the security risk level of the baseline system 

e Buy more insurance 

e Implement one or more risk reduction packages 

e Ask analysis team for additional analyses 

e Provide contingency measures for security risks that cannot 
be covered at all times, but can be implemented during 
periods of heightened threat conditions 


186 РАКТ ОМЕ 


Finally, the risk managers decide on the design threat or the threat 
level to which the security system will be designed. This design 
threat may be the threat spectrum used in the risk assessment or 
it may be some subset of that threat spectrum. If the design threat 
is a subset of the assessment threat spectrum, decisions should 
be made on a schedule to address the remainder of the threat 
spectrum as required by threat conditions. 

Chapter 13 demonstrates the security risk assessment and man- 
agement process. This worked example applies the tools and 
techniques described in this textbook. 


Part II 


Security Risk Assessment and Management: A Professional Practice Guide for Protecting Buildings and Infrastructures 
B. E. Biringer, R. V. Matalucci and S. L. O’Connor © 2007 John Wiley & Sons, Inc. ISBN: 978-0-471-79352-6 


Сһарїег 13 


Demonstration of the Security Risk 
Assessment and Management Process 


13.1 INTRODUCTION 


An example building model can provide some of the basic informa- 
tion that is needed for preparing a full security risk assessment 
process. This building model example will also be applied as the 
guideline for obtaining pertinent details that are usually important 
when initiating a security risk assessment and management pro- 
cess of a significant building and its supporting facilities. However, 
the descriptive categories and the extent of the building details 
are considered minimal and generic so that the topical areas of an 
analysis, including a building description and narrative, can form 
the basis for an initial building survey and characterization when 
a risk assessment study is required. 

The building description details that are provided will focus 
primarily on the critical assets that are normally evaluated for life- 
safety and mission-oriented security concerns. Some other building 
descriptive details that are included in this example might be more 
informative for subsequent use in future analyses. The building 
details considered herein as critical assets are those that the 
management and decision makers are most likely to determine 
important for now and also for future projects. 


Security Risk Assessment and Management: A Professional Practice Guide for Protecting Buildings and Infrastructures 
B. E. Biringer, R. V. Matalucci and S. L. O’Connor © 2007 John Wiley & Sons, Inc. ISBN: 978-0-471-79352-6 


189 


190 PART TWO 


This building example will therefore be used to demonstrate the 
application of the risk assessment and management process con- 
tained in this guidebook. A twelve-story building is selected as a 
hypothetical configuration of a facility that might be considered for 
a security risk assessment requirement by its owners/stakeholders. 
The building is located in an urban setting and used for manufac- 
turing expensive jewelry and other similar precious and valuable 
products. The owner might also not wish to publicly divulge to 
the community the production process for security reasons. The 
building also houses the corporate offices and all administra- 
tive functions, including a data center, records repository, and 
inventory control located within the Control Center. The building 
configuration and its critical assets will be described in a fault 
tree, and this example will then provide the database for subse- 
quently performing an actual risk assessment and for evaluating 
some typical risk reduction measures. Any resemblance of this 
example building to an actual facility in the national inventory is 
purely coincidental, as this example is only provided as an aid for 
highlighting the risk assessment and management process using 
a practical example. 


13.2 SECURITY RISK ASSESSMENT AND 
MANAGEMENT PROCESS 


The described systematic analytical process will be used to assess 
security risks for this example building. Figure 13.1 describes the 
order and sequence of the basic steps of the process. The process 
begins with an optional screening analysis for corporations to prior- 
itize their facilities in a business complex. This step will be followed 
by characterization of the subject building, including identification 
of the undesired events and the respective critical assets. 
Guidance for defining an adversarial threat is included, as well, 
for applying the definition of the threat spectrum to estimate the 
threat potential for attack, or likelihood of adversary attack, at this 


Demonstration of the Process 191 















































У 
Optional Screening Facility Characterization 
Analysis 
У 
Threat Analysis | РА 
> 
У 
Consequence Analysis | С = 

Optional 

> Prioritization 
Analysis 














Assessment Е 











У 
System Effectiveness | Р 

















У 
Risk Estimation R= P,*(1-Pe)*C 


















NO 





Risk Level 
Greater Than 
Threshold? 


- Presentation to 
Impact Analysis || Management 


| 


Risk Management 
Decision 


























YES 


























Risk Reduction Strategies 





Figure 13.1 Security Risk Assessment and Management Process. 


specific building. Relative values of consequence are also estimated 
for this manufacturing and corporate operation so that any losses 
from a malevolent attack can be quantified against consequence 
thresholds established by the owner. An additional and optional 
step further allows the owner to begin prioritizing the assets at a 
given facility, if warranted. 

Following the application of the threat and consequence assess- 
ment analyses, the procedure for estimating the effectiveness of 
the security system against the adversary attack will be described. 
Finally, using the three determined parameters of the risk assess- 
ment process, the relative risk will be estimated for the example 
building. In the event that the value of risk is deemed by the 
owner(s)/stakeholder(s) to be above a predetermined threshold (too 
High), the methodology will address a process for identifying and 
evaluating risk reduction that would bring security risk to a more 
acceptable level. 


192 PART TWO 


13.3. SCREENING ANALYSIS 


Assume that the example building is one of seven buildings owned 
by a large corporation. The seven buildings are located in various 
large cities in the country and are multi-use buildings. Several 
of the buildings are located in high crime areas. The concern is 
about the impact of a vehicle bomb, theft of valuable assets, or a 
violent insider incident at one of the buildings. The owners were 
pondering security concerns and wondered which of the seven 
buildings required security upgrades and which buildings should 
be addressed first. A screening analysis was completed to support 
the decision making. 

After lengthy discussions, the conclusions were that the three 
consequence factors that were most important to the owners were: 


e Physical harm to their employees and building occupants 
e Loss of the building and contents (economic) 
e Loss of operations (economic) 


Each of the seven buildings was evaluated for the three factors 
above in terms of relative consequences of the undesired events. 
Table 13.1 summarizes the results. Note that the building conse- 
quence tally looks like: 


e Building A: 2 M, 1 L 

e Building B: 2H, 1M 

e Building C: 3H 

e Building D: 1H, 2M 

e Building E: 1H, 1M, 1L 
e Building F: 3M 

e Building G: 2L, 1M 


The example building, Building C, has 3 H (High) consequence 
values for loss of lives, loss of building, and loss of operations. 


Demonstration of the Process 


Table 13.1 Consequence Evaluation for Each Building 


Building | Undesired Vehicle | Theft of | Violent 
Event Bomb Assets | Insider 
м 
Loss of building M 
(economic) 
Loss of L 
operations 


(economic) 


Maximum 
impact: 


Loss of building 
(economic) 


M 
M 
Loss of 


operations 
(economic) 


Maximum H 
impact: 
Loss of building M M H 
(economic) 
Loss of H H L 
operations 
(economic) 
Maximum H H H 
impact: 

L 


Loss of building H M 
(economic) 


(continued overleaf) 


L 
L 
L 
L 
L 
H 
H 


м | 
ч 





193 


194 PART TWO 


Table 13.1 (continued) 


Undesired 
Event 


Vehicle 
Bomb 


Building 





Loss of 
operations 
(economic) 


Maximum 
impact: 


Loss of lives 


Loss of building 
(economic) 


Loss of 
operations 
(economic) 


Maximum 
impact: 


Loss of lives 


Loss of building 
(economic) 


Theft of | Violent 
Assets Insider 
L 


M 


L 
L 


L 


M 





Loss of 
operations 
(economic) 


Maximum 
impact: 
Loss of lives 


Loss of building 
(economic) 


Loss of 
operations 
(economic) 


Maximum 
impact: 








M 


L 
L 


M 
M 
L 
L 
M 
M 
L 
L 
M 
M 
L 
L 


| 





Demonstration of the Process 195 


Thus, Building C was placed at the top of the list of buildings to 
undergo a complete security risk assessment and explains why this 
security risk assessment is being done. 


13.4 FACILITY CHARACTERIZATION 


An initial step in a security risk assessment is to characterize 
the building to be analyzed. Facility characterization requires a 
thorough understanding of the mission and operating conditions 
of the building, as well as the security concerns. The security con- 
cerns should describe the undesired events — the specific effects and 
impacts that, ideally, the protection system would be made capable 
of preventing, and if not preventing, mitigating. An extension of 
the description of the undesired events is the identification of the 
organization’s critical assets that an adversary would be attempt- 
ing to harm, destroy, or steal in order to cause undesired events. 
The valuable material products of this manufacturing facility and 
the corporate headquarters would be a target for either theft or 
destruction to cause an economic impact on the owner(s) or nation. 

The building characterization procedure must include a complete 
physical description of not only the configuration and layout of the 
building but also its construction and operations details. Included 
in this inventory, at a minimum, are the following: 1) locations of 
site boundaries and surrounding landscape amenities; 2) layout of 
all utility services such as electric power, water, and communi- 
cation; 3) building floor plans and parking facilities that indicate 
ingress and egress routes for vehicles and pedestrians; 4) property 
and building access points, including security policy, procedures, 
and manpower; 5) specific data centers and specialized manufac- 
turing and administrative areas that contain the vital company 
operations; and 6) all other physical and cyber-protection and 
security features and their locations. 

During the building characterization phase, any known vulnera- 
bilities or weaknesses in protection are noted for future evaluation. 


196 PART TWO 


For example, during the interviews with building operators and 
managers, critical assets are discussed and their functions and 
protection weaknesses noted. Such discussions might highlight an 
obvious unprotected exposure of valuable products or materials and 
possibly the location of uncontrolled access to the building. This 
example building characterization procedure can be concluded with 
a general statement of the existing protection system objectives for 
the facility. Usually, the protection system objectives are based on 
the list of undesired events or some subset of the undesired events 
and a summary of the respective critical asset(s) to be protected. 


13,5 OPERATIONS 


The example building that is used for demonstration of the security 
risk assessment and management process is the building previ- 
ously identified in the screening process as requiring a complete 
risk assessment. 

The operational functions of the building include manufacturing 
space with its vital and expensive equipment, controls, and stor- 
age of stock material and finished products. The space is manned 
24/7 by operators working 8-hour shifts. Machines are controlled 
through a programmable system for each product and use the main 
data center located in the Control Center for reference information 
and inventory control. The two manufacturing floors (first and sec- 
ond) and the other corporate facilities (third to twelfth floors) meet 
all safety and health requirements. The manufacturing process is 
the primary mission and the corporate headquarters is considered 
the secondary, but critical, functional requirement for the building. 
Although separated by a distinct secure and operational bound- 
ary, the manufacturing areas are integrated into the operation of 
the corporate and administrative functions by common utilities 
and by the data center that serves the entire company complex. 
Except for the two freight elevators within the manufacturing 
areas that are also used for moving equipment to and from the 


Demonstration of the Process 197 


administrative areas, the other two passenger elevators link all 
the other non-manufacturing functional areas and originate in the 
lobby of the first-floor entrance. Two stairwells are located on the 
north and south side of the building primarily for evacuation and 
other emergency uses. 





Figure 13.2 Example Building. 


198 PART TWO 


The corporate and administrative functions are housed in the 
upper floors beginning with the third floor and continuing to the 
twelfth. Senior corporate staff members are located in the top two 
floors (eleventh and twelfth), and access to those floors is by key 
control from inside the elevators. The administrative functions 
serve the entire company and also provide support to the national 
and international offices. Figure 13.2 shows the exterior of the 
example building. 


13.6 GENERAL DESCRIPTION 
Off-Site 


The building is located in a dual residential and commercial neigh- 
borhood that has a sparsely forested setting with easy access 
to local streets and major highways within a mile. There is a 
nearby train station for public transportation services to the area 
and also taxi service. The area is considered a high-crime and 
high-vandalism district and therefore frequently patrolled by local 
police. The northern boundary of the facility borders multi-level 
commercial facilities, many of which have top-story patios that 
provide clear views of the building. A gate-controlled employee 
and visitor parking area is provided on the northern boundary. 
Curbside parking is also available on all sides of the building. The 
building has a set-back off the curb of approximately 25 feet along 
the east and west sides and about 50 feet at the south side. The 
curb-line at the northern edge of the employee parking is about 
150 feet from the building because of the parking area and delivery 
vehicle access. 

On the north side of the building where the personnel entrances 
are located, the building’s first floor is at the street level. On the 
east and west sides of the facility, the respective streets have a 
gradual downward slope toward the south. The building basement 
floor is located one floor below the street level at the north side 
and at street level on the south side. The basement is primarily 


Demonstration of the Process 199 


used for building operations and maintenance functions, storage 
of high-value stock materials (inside a secure vault room), and 
for utility supply connections, including water, electric power, gas, 
and communications. 

The north- and east-side boundaries of the building are adjacent 
to high-rise apartment complexes that have a clear view of the 
facility through the trees. The west-side boundary of the building 
faces across the street toward low-rise commercial and office build- 
ings. The southern boundary of the facility is also adjacent to a 
commercial area. Just a block further south of the building is a 
commuter train/trolley station and a strip-mall shopping area. 

Figure 13.3 shows the example building floor plan and site lay- 
out. 


Perimeter 


Two double-vehicle gates and chain-link fences form the perimeter 
boundary of the building. One of the vehicle gates is used primarily 
for employee vehicles; the other is used for delivery and shipment 
vehicles. Several unsecured manhole covers are located throughout 
the parking area as access points for the building utilities entering 
the complex. These are within the fenced area and can be monitored 
by the security personnel. Access to the building through these 
manholes is questionable because of the small diameter conduits 
that are used for the utility lines. 


Perimeter Fence 


A chain-link fence marks the entire boundary of the building and 
is mostly along the curb-line. The fence is 6 feet high with dou- 
ble outriggers on top. On the east side of the facility, pine trees 
hang over a segment of the fence line and could hinder effective 
surveillance. On the west side, other types of smaller trees are 
located between the fence-line and curb and some obscuration 
of the building’s first floor is noted. The tautness or strength of 


200 


PART TWO 

































































н 


KEY 1.COURTYARD 
2. LOBBY 
3. LOADING DOCK 





4. VAULT (BELOW) 





7. SALLYPORT 


5. FREIGHT ELEVATORS 8. CHASE 


6. ADMINISTRATION 


9. EMPLOYEE LOCKERS 


H 


z 
te 
О 
= 

























































































































































































































































































4 
ш т Е 
A & | гү) 
6 шы | 
Д o a п 
ў 2 
А = „зв | 
i] 1 
Pi шү п o \ 
т ащ [е 3 
| 























И 























KEY 1.COURTYARD 
2. LOBBY 
3. LOADING DOCK 








mo ae 


4. POWER SUBSTATION 7. SALLYPORT 


5. GATEHOUSE 
6. EMPLOYEE PARKING 


8. FENCE 
9. SITE ENTRANCE 


NORTH 





Figure 13.3 Example Building Floor Plan and Site Layout. 








Demonstration of the Process 201 


the perimeter fence could be greatly increased by adding addi- 
tional fence-tensioning wires. Segments of the fence appear to be 
rusting and deteriorating. The vehicle gates are in a good state 
of repair and are operated by security officers. Another secured 
gate is located along the southern boundary for landscape mainte- 
nance. 


Area Between the Fence and the Building 


Closed-circuit television (CCTV) cameras and post-mounted area 
lights are installed in the area between the fence and the building. 
Camera images are monitored in the Control Center located on the 
first floor of the building. 


Personnel Vehicle Entrance 


The personnel vehicle entrance is lighted and covered by CCTV 
surveillance. A swinging chain-link gate and a lift bar allow cars to 
be checked before entrance is granted. Two security police officers 
staff this gate 24 hours per day, 7 days per week. One officer 
leaves the structure to check credentials of the driver of the vehicle 
and to inspect the vehicle by checking in the trunk, under the 
hood, and under the vehicle using a mirror. The officer inside the 
masonry shelter operates the swinging chain-link gate and the 
lift bar. The security guard shelter also has communication and a 
duress-signaling capability for the officers on duty. 


Shipment Vehicle Entrance 


The separate vehicle entrance is used primarily for deliveries 
and shipments. All FedEx and UPS collections and deliveries 
are also controlled at this vehicle entrance. During shipments or 
deliveries, one security police officer is dispatched to this gate. 
The entrance is lighted and is well monitored by CCTV camera 
surveillance. Delivery vehicles are inspected before the loading 
dock door is opened by the security officer. The security officer 
first checks the credentials of the driver to ensure that the driver 


202 PART TWO 


is listed on the access list. The vehicle is then inspected for con- 
traband. If all requirements are satisfied, the loading door dock 
is opened, the hydraulic vehicle barriers are lowered, and the 
vehicle is allowed to proceed to the loading dock ramp inside the 
building. 


Air Route 


Although it is not a normal route, it is possible that the adversary 
could use a hang glider or helicopter to enter the facility boundary. 
If the hang glider could land on the roof, doors or windows (sky- 
lights) on the roof could provide access into the building. Helicopter 
flights over the building are frequent from a local airport. How- 
ever, minimal clearance is available on the roof because of rooftop 
irregularities and obstructions. Landing on the large employee 
parking area is possible only with prior notification to clear some 
of the vehicles. Any unexpected landings would be immediately 
apparent from inside the building. All roof openings and skylights 
are secured from the inside but are not alarmed. 


Building Exterior 


The paved driveway along the building’s eastern boundary can 
serve for first responder access and as the temporary emergency 
evacuation and holding area for employees. Just off the driveway 
to the east of the building is a tank of nitrogen for use in the 
manufacturing process. Three hydrogen tanks are also located 
within the fenced-in area along the same side of the building but 
about 150 feet further toward the southern side of the building. 
A major electric power distribution substation is located in the 
northeast corner of the parking area and is enclosed with a 6- 
foot concrete-block wall and wrought iron double gate. Several 
transformers and a small power control and relay building are 
located inside the enclosure. High-voltage signage is prominently 
located around the enclosure, and electric safety precautions are 
well displayed on notices, indicating that electric shock danger 


Demonstration of the Process 203 


is a concern to the company. This enclosure is located in the 
northeastern quadrant of the vehicle parking area and inside 
the fenced area to further restrict and protect against public 
access. 


Entrances to Building 


The normal entrance is the personnel entrance located just off the 
sallyport. The courtyard includes various doors that could be used 
for entrance into the building. Shipments and deliveries employ 
the vehicle door on the north side of the building. In addition, 
the emergency exits located on the south side of the building, the 
various doors from the roof, and some windows could be used to 
gain entry into the building. 


Personnel Entrance 


The personnel entrance is located just off the sallyport of the 
building. The entrance is operational 24 hours per day, 7 days per 
week. Two security officers staff the entrance. During shift change, 
two additional officers are present. Employees enter the area and 
put their personal items in lockers for storage. They then walk 
through metal detectors. Any items taken into the operations area 
are screened by the x-ray machine. Upon exiting, hand-carried 
items and personnel are screened for metal. 


Courtyard Entrances 


The courtyard at the center of the building contains waste disposal, 
chemicals, and other hazardous materials. Two 500-kVA electric 
power backup generators are also located in the courtyard. These 
generators start automatically and can provide up to 72 hours 
of backup power without refueling. One of the 10 feet by 10 feet 
fresh air intake louvers mounted on the building wall is located 
at ground level in the courtyard; the other is located on the roof 
of the building. A heating, venting, and cooling (HVAC) chiller is 


204 PART TWO 


located on the roof for air conditioning for the data center, pri- 
marily, and secondarily for the administrative and manufacturing 
areas. 

Entrance into the courtyard from off-site is either through the 
sallyport or by air approach from the roof. The outer sallyport 
door is normally open to allow personnel to pass to the personnel 
entrance. The inner sallyport door is normally closed and locked 
and is opened remotely by the security officer only to allow the 
movement of materials into the courtyard or the removal of trash 
from the courtyard area. 


Loading Dock 


All deliveries and shipments into and out of the plant are through 
the single loading dock and are controlled by a tight manage- 
ment security and materials accountability system. The metal 
rollup door at the loading dock is unalarmed and is opened from 
the inside. The door is only closed during off hours and very 
inclement weather. 

For shipments of products outside the building, an accountability 
check is made prior to placing containers on the loading dock. The 
checks for appropriate shipment, including contents and addresses, 
are thoroughly reviewed to ensure accuracy and correct inventory 
of final products. This shipment procedure is also controlled by 
an inventory process at the data center, and no shipment can be 
released without authentication by an appropriately authorized 
individual of the company. 

Two emergency exit stairwells empty into the courtyard. The 
door to the stairwell located in the northwest corner of the court- 
yard has three glass panels. The door has an emergency panic bar 
on the inside and is equipped with a balanced magnetic switch 
(BMS). The metal door to the stairwell located in the northeast 
corner of the courtyard is unlocked. This door provides access to 
the boiler room area. 


Demonstration of the Process 205 


A fresh air intake vent is located in the southwest corner of the 
courtyard. It is not clear that this route would easily allow access 
into critical asset areas. 


Roof Doors 


At the twelfth-floor stairwells from the roof, there are two entrances 
into the building. These doors are adjacent to the hallways that 
lead to the corporate offices. The doors are constructed of wood and 
steel and have glass panels. They are equipped with a BMS, have 
crash-out bars on the inside, and are key-locked from the outside. 


Windows 


Various windows on the manufacturing floors (1 and 2) could pro- 
vide an entry point into the building. However, these windows are 
equipped with security bars. The windows on the other upper floors 
are locked from the inside, but not alarmed, and are not equipped 
with security bars. They open to corporate and administrative 
offices and are above the manufacturing areas. The windows in the 
basement are locked and also have security bars. These security 
bars might be considered a safety hazard and need to be evaluated 
for that deficiency. 


Building Interior 


Various routes exist in the interior of the building that lead to 
critical asset areas. Security features associated with each area 
will be discussed. 


Vault 


The high-value hardened vault is located in the building basement 
at the remote northeast corner, where it is below ground. Exterior 
access would be from the exterior parking area and courtyard 
that is secured and monitored. Interior access would be from 
the interior basement and through the more than 3-inch-thick 
steel vault door that is mounted on a heavy-duty steel frame 


206 PART TWO 


and anchoring system. Although access to the vault area is also 
possible from the courtyard, the exact location is obscured by 
the floor and partitioned walls. The walls, floor, and ceiling of 
the vault are all heavily reinforced concrete more than 12 inches 
thick, and the ceiling and floor are further protected by additional 
8-inch-thick concrete slabs that are part of the actual building 
structure. When the vault is not in use, door switch sensors and 
penetration sensors are located in the vault door, and motion 
sensors are located within the vault. CCTV coverage provides an 
assessment capability. Alarms are annunciated and assessed at 
the Control Center. Authorized access through the vault door is 
monitored by security and controlled by the operations managers 
on duty throughout the 24/7 production periods. Any unauthorized 
penetration into the vault, using either hand tools or explosives, 
will be annunciated at the Control Center and will be responded to 
by an active force. 


Control Center 


The Control Center is located on the first floor of the building and 
contains the data center as well as the security alarm annunciator. 
The control equipment for both the business information technol- 
ogy (IT) system and the production process control system is also 
located in this center. Security system alarms are annunciated in 
the Control Center and operators can use a hard-wired telephone 
to local law enforcement in the event of a security incident. Admit- 
tance into the room is controlled by a cipher lock. Only personnel 
authorized to be in the room are given the combination. Because of 
the dual-business system and process control operations, at least 
two operators are on duty at all times. 


Utilities 
The northeast corner of the first floor level is an important utility 
node for the entire facility. It houses the steam boilers, the water 


Demonstration of the Process 207 


and gas utility ports, the electric power ports, and the communica- 
tion node for the facility. The electric power vault and transformer 
for the building are located just adjacent to this area. This area is 
noted for potentially being a single point of utility failure and will 
require careful evaluation as an adversary target. 


Security Force 


The security force for the building has forty officers. During oper- 
ational hours, ten officers plus a sergeant and lieutenant are on 
duty. One officer is located in the Control Center, two at public 
areas, two at the main vehicle gate, one at the employee entrance, 
one at the employee exit, one shipment officer, one at the shipping 
door, an internal patrol, and two exterior patrols in motorized 
vehicles. Communication is by Motorola Saber digital radios. 


Information System 


The information system for the example building has a two-level 
network consisting of the system network and the corporate net- 
work. The corporate network controls the business IT system and 
the production process control system and was designed for pro- 
tection from outsiders with a strong firewall at the boundary. The 
system network was designed to support the building activities 
that need less restricted communication with the Internet. The 
protection afforded the system network includes a commercial fire- 
wall configured with basic protection mechanisms to deny access 
to important services and servers. An intrusion detection system 
(IDS) monitors all traffic into and out of both networks. 


Undesired Events/Critical Assets 


Undesired events result in undesired consequences. Undesired 
events are site-specific and have adverse impacts on public health 
and safety, the environment, assets, mission, and publicity. The 
analysis team met to determine the undesired events for the facil- 
ity. Natural disasters that could be considered as undesired events 


208 PART TWO 


were not addressed in this analysis. It is possible that the adver- 
sary might use an emergency situation, like an earthquake, to their 
advantage. Emergency procedures for situations like earthquakes 
should be addressed. 

Four categories of events were identified as security concerns for 
the facility: 


1. Crimes committed against people 
2. Damage or destruction of property 
3. Disruption of mission 

4. Theft of assets 


Crimes against people could include hostage situations, murder, 
or activities causing mass injuries, illness, or casualties. Specific 
crimes against people were identified and considered a major 
concern. Sniper fire from the north or east sides of the facility 
was discussed because of the access provided by the residences 
and apartments on these sides of the facility. Hostage situations, 
drive-by shootings, and security force protection incidents were 
considered. Concerns about a disgruntled employee becoming vio- 
lent and committing a violent crime against colleagues were also 
included. Other concerns were mass illness or casualties caused by 
a hazardous material (chemical or biological agent), contamination 
of the facility, an explosion caused by the boilers, a bomb brought 
inside the building, or a vehicle bomb located outside the building. 
Destruction of property and loss of high-value assets by explo- 
sion, arson, or theft were also considered as undesired events. Aside 
from the loss-of-mission issues, the monetary values of the building, 
equipment, materials, or products were considered important. 
Building Fault Trees — The identified security concerns and 
undesired events together with building information were used 
to create a site-specific fault tree for the example building. The 
tree can be used to determine critical assets, those that must be 
protected to prevent an undesired event. The tree can also be 


Demonstration of the Process 209 


used to describe specific scenarios involving critical assets that 
could produce an undesired event. The modified generic fault tree 
branches for the example building are pictured in Figures 13.4 
through 13.10. The trees are annotated for the specific undesired 
events listed above. 

Critical Assets — Once the undesired events for the facility were 
established, the next step was to identify the critical assets that 





Adversary Causes 
Disruption 
of Building Mission 


Т 


У У У У У $ 















































Disrupt Compromise] |Compromise Disable/ Disable/ Disable/ 
Normal Structural Health and Misuse Misuse Misuse 
Work Integrity of Safety of Utilities HVAC Emergency 
Operations Building Occupants Systems 
A A A A A A Not analyzed 
for this site 


Figure 13.4 Top Level of Generic Building Fault Tree. 


A Disrupt Normal 


Work Operations 







































































Damage or Compromise Compromise 
Disrupt ыи Valuable Item(s) Health and Safety 
Information of Occupants 
System Production equipment A 
Packaging equipment 
A Portable Item or Electronic Item 
Information or Information 
Precious metals Proprietary information 
Gems Production data 
Proprietary equipment Process control data 


Figure 13.5 Disrupt Normal Work Operations Branch. 


210 PART TWO 


Analyze all 
branches for bomb 


A Compromise 
Structural 







































































Integrity of Ө 
Building scenarios 
Columns || Foundation || Building || Exterior Other Support || Elevator || Stairwells | | Roof 
Walls Loading Cross Braces Banks 
Ramp 
{ у { { } { { { 
Exterior || Interior Exterior Interior Load- Tie and Floor Emergency || Support Walls 
Load-Bearing || Bearing Walls Cross || Support Pressure 
Walls Beams || Beams System 





















































Figure 13.6 Compromise Structural Integrity of Building Branch. 


A Compromise Health 


and Safety of 
Occupants 











| У У 


Violence — 
Sniper, Destroy CBR Not analyzed 
Hostage Building Contaminate | for this site 


Situation 


Fire Aircraft Explosion Air Water 



































Not analyzed 
for this site 


Figure 13.7 Compromise Health and Safety of Occupants Branch. 


must be protected in order to prevent the undesired events from 
occurring. For the four categories of undesired events described 
above, a set of critical assets was derived. Some assets were 
common to more than one category of events. Table 13.2 sum- 
marizes the undesired events and the associated critical assets 


Demonstration of the Process 


A 








Disable/Misuse 
Physical 
Utilities 








211 





У 


{ 


$ 


{ У 


$ 


{ 

















































































































Figure 13.8 Disable/Misuse Physical Utilities Branch. 





Disable/Misuse 








Not analyzed 


Control ай Waste 5 Compressed 
Equipment Communications Water Gas Electric Power Air Water 

$ v v + 

Commercial Emergency Fire 
Telephone Internet Radio Power Generator oes е fighting 
System System Water 

Transformer Substation 
Vaults 





































































































Emergency Systems| for this site 
| | | | | | 
Disable Fire 
Sensors or Destroy Disable Compromise Disable 
Smoke Firefighting Emergency Emergency Disable On-Site Communications 
Alarms Water Lighting Evacuation Emergency to Emergency 
Communications 
System Systems Response 
Water Pumps| Piping Power Water Supply 
Damage Disable Stairwell Disable Disable Fire- Attack Block 
Safe Pressurization Emergency Suppression Staging Evacuation 
Comm. рр 
Haven(s) System System System Areas Routes 






































Figure 13.9 Disable/Misuse Emergency Systems Branch. 


212 PART TWO 


Disable/Misuse 
Information System 























































































































ee ан Key location for cyber 
Cyber Center assets 
System 
Gain Root Destroy 
Access to System 
System Component 
From On a On Electrical Communication Computer Software Cooling 
Site Power Lines Hardware Equipment 
Control Center Internet 
Alternate Alternate Control 
computers Center 


Figure 13.10 Disable/Misuse Information System Branch. 


and locations. Because of limited available information, the HVAC 
system was not fully analyzed in this study. Therefore, the level 
of mass destruction by chemical/biological agents placed in the air 
supply was not included. It was noted, however, that the air intake 
vents on the roof and in the courtyard were not protected. Simi- 
larly, hazardous materials were found on-site (nitrogen, hydrogen, 
other hazardous materials), but the estimation of level of damage 
or injury that could be caused by releasing or exploding these 
materials was not part of this study. These materials were judged 
to be exploitable because of their location on the perimeter of the 
facility and their lack of protection. The resultant set of critical 
asset locations were: 


e Security and information Control Center 

e Exterior grounds/maintenance room/courtyard (utilities/po- 
wer, wastewater, air intake) 

e Parking areas (curbside, parking lots) 


Demonstration of the Process 213 


Table 13.2 Critical Assets for Building 


Undesired Target Location 
Event 

Crime Sniper People Exterior, 
Against entrances 
People 














Drive-by People Exterior 
shooting 
Exterior People/building | Curbsides/ 
bomb parking areas 
Bomb People/assets Building 
brought interior 
interior 
Chem/bio People HVAC 
attack 
Hazardous People Nitrogen, 
material hydrogen, 
attack Haz/mat area 
Destruction Destruction | Building Curbside/ 
of Property of building/ | structure parking areas, 
equipment boiler room 


area, 
production 
areas 


Arson People/building | Building 
interior 
Tagging Building/ Exterior walls/ 
structures structures 


Disruption Sabotage/ Packaging Production 
of Mission destroy equipment areas 
equipment 














(continued overleaf) 


214 


Table 13.2 


Theft of 
Assets 


PART TWO 
(continued) 

Undesired Target 

Event 

Loss of Wastewater 

wastewater 

Loss of power Power 

Cyber-attack Business IT 
system 
Process control 
system 

Bomb threat People 

Armed robbery | Precious 
metals, Gems 

Proprietary Corporate IT 

information system 
Process control 
system 





e Production rooms 


e Vaults 








Location 


Courtyard 


Exterior utility 
area, interior 
utility area, 
sallyport, 
courtyard 


Control Center 
On-site 


computers 


Building 


Vaults 


Control Center 


On-site 
computer 
terminals 


e Northeast corner of the facility — boilers, water, gas, gene- 


rators 


e Information system 


An important parameter of the risk analysis process is the threat 


13.7 THREAT 


potential, particularly the likelihood of adversary attack. 





Demonstration of the Process 215 


Threat — Before a vulnerability analysis can be completed and 
before threat potential for attack or likelihood of attack can be 
estimated, a description of the threat is required. This description 
includes the types of possible adversaries, tactics, and capabilities 
(e.g., number in the group, weapons, equipment, and transporta- 
tion mode). 

Threat Potential for Attack (Likelihood of Attack) — After 
the adversarial threat spectrum has been described, the informa- 
tion is used together with statistics of past events and site-specific 
perceptions to categorize threats in terms of likelihood that each 
type of threat would attempt an undesired event. Threat potential 
is estimated per undesired event and per adversary group. The 
basis of the parameter estimation is: 


e Characteristics of the adversary group relative to the asset 
to be protected 
e Relative attractiveness of the asset to the adversary group 


Threat information for the facility was based on the threat data 
collected and the perceptions of the analytic team. The threat 
spectrum included outsiders, with the possibility of an insider 
colluding, and a single insider. 


Outsiders 


Because of the lack of site-specific data, threat descriptions were 
examined of historical events with similar concerns. The outsider 
threat spectrum comprised four basic groups: the terrorist threat, 
the criminal threat, the extremist threat, and the gang threat. 
The terrorist threat was defined as two to three individuals armed 
with conventional weapons (handguns, automatic weapons) and 
explosives and/or chemical or biological agents. The terrorist threat 
could also encompass a truck/vehicle bomb attack, backpack of 
explosives carried in, or an air attack (hang glider, parachute 
attack). The terrorist threat is capable of cyber-attack(s) on the 


216 PART TWO 


IT system for financial purposes or the production process control 
system to disrupt the mission of the building. 

The criminal threat is motivated by financial gain. The threat 
was described as two to three armed (handguns) individuals intent 
on stealing materials. They might enter by foot, truck, or air attack 
and use explosives to enter vaults or protected areas. The criminal 
threat might consider cyber attack(s) on the IT system or the 
production process control system. 

Extremists or demonstrators are intent on making a politi- 
cal statement. The group would be expected to be relatively few 
in number. They may or may not resort to violence to achieve 
their stated goal. Taken to the limit, the extremists resemble the 
terrorist threat in capabilities. 

The final outsider category is the gang member. Neighborhood 
gangs abound in the area and tend to be organized and violent. A 
concern is employees becoming gang members. Crimes committed 
against people, as well as armed robbery attempts were discussed 
for the gang threat. 


Collusion 


The collusion threat addresses the possibility that an insider might 
collude with an outsider threat. This collusion could take the 
form of the insider being passively involved, providing critical 
information or knowledge or opening doors, or the insider could be 
actively participating in the attack. 


Insider 


The single insider threat was considered for the facility. Personnel 
undergo a personal background check before employment. Basi- 
cally, background checks are made with local and regional law 
enforcement. Follow-on investigations are rarely done. All insider 
positions that could be held by an insider adversary were consid- 
ered. The positions were considered in terms of whether or not the 


Demonstration of the Process 217 


position involved authorized access to targets and/or the security 
system. The insider could be nonviolent (expected to give up if 
detected) or could be violent (willing to use force to achieve his 
goal). Motivations for the insider adversary could be disgruntle- 
ment with authorities, mental instability, personal financial crisis, 
anger with coworker, or coercion (family held hostage). Table 13.3 
provides a threat spectrum for the facility. 

LIKELIHOOD OF ATTACK — Using the above threat statement for the 
building together with the process described in Chapter 4, the like- 
lihood of attack for the threat spectrum can be estimated. Results 
of estimating the likelihood of attack for the threat spectrum 
are summarized in the following tables. Table 13.4 summarizes 
the terrorist threat, Table 13.5 summarizes the criminal threat, 
Table 13.6 summarizes the extremist threat, and Table 13.7 sum- 
marizes the gang threat. 

Table 13.8 summarizes the insider threat, which is analyzed 
differently from the outsider threats. For the insider threat, a 
threat severity is estimated. Based on security concerns, the work- 
force was divided into three categories. These categories were 
determined by the level of authorized access to critical assets, 
authority, normal work locations, and access to the security system. 
It was assumed that all employees, except security officers were 
screened by the metal detector and x-ray for hand-carried items 
before entering the production area. Insider categories considered 
were: 


e Production/support 
e Business/administration 
e Security officers 


The production/support category comprised all employees in the 
Inventory Management, Plant Engineering, Packaging, Quality 
Assurance, and Management Services Divisions, as well as the 


218 


PART TWO 


Table 13.3. Threat Definition for Building 


Type of —|Number|Equipment| Vehicles |Weapons 
Adversary 


Terrorist 
outsider 
(may 
include an 
insider 
colluding) 


Notes: 


Hand and 
power 
tools, body 
armor, 


chem/bio 


Hand tools, 
body armor 


Signs, 
chains, 
locks, hand 
tools 


On-site 
equipment 


Hand and 
power 
tools, body 
armor 


4х 4, 
АТУ, 
ріскир, 
aircraft 


Car, bus 


Car, 
pickup, 





Tactics 


Cause 
catastrophic 
event, 
hostage, 
sniper, 
cyber-attack 


Handguns, 
automatics,” 
explosives®4 


Handgun, 
explosives 


Property 
theft, 
cyber-attack 


Protest, 
civil disobe- 
dience, 
damage/ 
destruction 


No weapons 


Destruction, 
violence, 
theft, 
hacking 


Handguns, 
automatics, 
explosives 


Drive-by 
shooting 
Robbery 
Violence 


Handguns, 
automatics 


! Insiders include special interest groups such as employees, contractors, ог 


vendors. 


2 Type of weaponry includes large caliber (.50) automatic weapons with 


long-range capabilities. 


3 Explosives (hand-carried) would be limited to what one person could 
carry — pipe bomb (5 lb) or backpack bomb (40—50 1b). 

4 Explosives (vehicle-carried) — compact sedan (500 Ib), full-sized sedan 
(1,000 lb), or van (4000 Ib). 





219 


Demonstration of the Process 


(јрајагао ропитиод) 


а 


Е 


420370 
јо 2800 | «8ојоәр | `Рәѕиод) 








870әлу] 
рәјиәшпәо( 








зарә 


/`8р19 Јо 
иотәтпалј8ә(] 


420370 
019 | 29 





ггја ова! 18ито 50 SIUM 


"рдалтз | 182121и1 | 59227 | 282127и1 $ 
JUALIN] |JUaLIND| 1н г21д980 | раллзгријђ 





25110449, :аполо ќлоѕләарү 





угалц 15шолә | ә Јој уреду о рооцјәҳ ЕР ӘЧЕ] 


PART TWO 


220 


420370 
Ү9 |10201, |40 әѕоя |«8ојоәрү 


8702191 |`рһәплтѕ | 18әләуи1 





‘basuog | pazuawuins0q | JUALIN | JUALIN 


25110449, :аполо Каювләару 





542070 |18әлә7и1 
чән ¿219q0d09 


(рәпициозэ) 


722.191 
quog 
damod 

Јо 85071 
четотг2вот 
Јо 55071 


зарә 
482P др 
420370 
чәфКг) 


гио1881}] /о мо1}йтл81(1 


рәллзвәри[] 





РЄ, ӘРІ 


221 


Demonstration of the Process 


(јргјагао ропитиод) 


51580], 


зарә 
/`8р1д До 


ио1әтпл38ә( 


420370 
019 / шәә 











420730 870әлу] | 1 1 Ы 
1020, |40 әѕоя |«8ојоәрт | `Рәѕиоо) | рәриәшпәо(т ¿21q0dn9 | pasapun 


јоитшлао :дполо ќарѕләарұ 





углу] үгшшиз ә 104 уреду јо рооццезп GEL a1qeL 


PART TWO 


222 


9 


420370 
Ү9 |10201, |40 әѕоя |«8ојоәрү 


G 


8702191 — | 1у1далта | 18212 





‘basuog | pazuawuins0q] | JUALIN | JUALIN 


puru :dnouy Кловадару 





8220110 | 1828лаји1 
чен ¿219q0d09 


(рәпидиоэ) 


722.191 
quog 
damod 

Јо 85071 
четотг2вот 
Јо 55071 


зарә 
482P др 
490470 
Е) 


‘uoiss1py јо иопапаз1т 


ргллзгри/) 





Е ӘРІ 


223 


Demonstration of the Process 


(/юә]ләао рәпитуиоә) 


а 


И 


420370 
Jo aso | «8ојоәр | `Рәѕиоо) 








87021 
рајигшпоа 


JSIWAAIXY 











SUISSD I, 


7арә 
/`8р1д До 


иотопа га 


2/20270 
019 / way) 








11әалп8 | }8әләўи1 | 8212]10 | 18әләўи1 $ 
JUALIN] |JUaALIND| 1н г21д980 | рәпѕәриг 


гдаполеу Кловагару 


угалц | 15шелха 991 ој уреду Jo poouljay!] Q'EL AQEL 


PART TWO 


224 


420370 
Ү9 |10201, |40 әѕоя |«8ојоәрү 








8702197 — | 1галтв | 18212111 | 22027 | 18201и1 
"Ђевиор | разигштооа | тигаато) |qUeLing| 1н ¿21q0d09 


gs1 xy :аполо) Кловагдару 


(рәпиђдиоэ) 


722.191 
quog 
damod 

Јо 85071 
четотг2вот 
Јо 55071 


зарә 
482P др 
420370 
чәфКг) 


гио1881}] /о ио1апал51( 


ргллзгри/) 





9'EL ƏQLL 


225 


Demonstration of the Process 


(юә]ләао рәтпитуиоә) 


зарә 
EEC ELEL 
T| 26 8 9 G G G 1 5 А и0172п478ә(Т 


идләаӢол Јо иођәтпл38ә(т 














5и1700у8 
420370 
пш ер ре» |р тв „ү == 
420370 


:гәјаоәд 18'м1тю8ю вәш1лг) 






42030 870әлу] |`ү1әплт8 | 78әләуип |820770 |}8әлә3и1 лигат 
Уа | плод Јо 2800 | (80102 р] | Бов ио)) | рајигштпооа | јигаапо |гиглато | ‘ISI | син |;219920800| ралзгријј 
бирр) :аполо Кловадару 

















yeas] Suey ay} 10у оецу јо рооцјәі 26! GEL 


PART TWO 


226 


420770 








Jo asom 





słposy}  |`]]1әйлт58| 1821а7и1 
KSojo0apy | ‘basuoy)| payuawnsoq | uasan | JUALIN 


бирр) :аполр) Кловадару 





842070 
`1751Н 








гио1881}] /о мо1}їтл581(1 


18әлә]и1 


4S1H |¿21q0d09| pənsapun 


РИКА 
2/20110-12940) 





ида 





(рәпидиоә) Ер ејдеј 


227 


Demonstration of the Process 


КЕ 
н 
н 


«ләгәб 
10249, 


ка 


YS 
ЧӘН 


ио1вт1]]ог) 40] 
«титјлоаао 


|| | 


топ ү81Н 
тот ysl 


ш228 «6 
Aq1inaag 
01 вваоог у | Аплошту 


| 


Ys 
ysl 


51288 у-1294 5) 
ој зваоогу 





тот 103ел38титшре шәзѕќ$ 
Ба потует}втитшрв/ввәштеп{ 

члан четотицоој, 

Чен ловтлаледп с 


yzoddns/uoryonpoig 


sjassy 


1021804 
03 ѕ8ә22у 4108910 q0f 


(SL) Ajanas }рәлц | әри 8g'ELƏAqLL 


228 PART TWO 


Office of the Superintendent. This category of insiders was assumed. 
to have access to physical critical assets during some part of their 
job assignments. 

The business/administration category comprised the Budget and 
Accounting, Equal Employment Opportunity, Human Resources, 
and Information Technology Divisions. The job assignments of 
this category would not normally provide direct access to physical 
critical assets but would provide access to the information systems 
(corporate IT and production process control). 

The security force category included all security officers autho- 
rized to staff a security post, provide random patrol of the facility, 
or access the physical protection system components. These assign- 
ments may or may not include access to production critical assets. 

Four undesired events were analyzed for the insider adversary 
threat: 


. Violence (in the workplace) 
. Destruction of mission-critical equipment (sabotage, fire) 
. Planting a bomb or device inside the facility 


н со № н 


. Cyber-attack on the business IT system or production pro- 
cess control system. 


13.8 CONSEQUENCES 


The second parameter of security risk is consequence. Consequence 
analysis can be completed after the undesired events and associ- 
ated critical assets have been identified as a part of facility charac- 
terization. The next analysis step is to estimate consequences asso- 
ciated with the loss of specific critical asset(s) for each undesired 
event. Table 13.9 provides the example Consequence Definition 
Table that was used to estimate relative consequence levels. 

The analysis team considered the undesired events and 
categorized them into consequence categories based on their 
perceptions of consequences of loss. Table 13.10 summarizes the 
team’s estimation of consequence level for undesired events. 


Demonstration of the Process 229 


Table 13.9 Consequence Definitions 


Consequence Category Consequence Level 


Total collapse of building structure 
Economic loss greater than $1 million 
Operations downtime one or more years 
Security incident resulting in grave 


damages to corporate reputation 


Damage to building structure but no 
collapse 


Economic loss greater than $500 


thousand but less than $1 million 
Operations downtime — months 
Security incident resulting in moderate 
impact on corporate reputation 

Little or no damage to building 
structure 

Economic loss less than $500 thousand 
Operations downtime — hours to days 


Security incident resulting in minor 
impact on corporate reputation 








Medium 


The results of the consequence estimation exercise are listed 
below. 
High: 


1. 
. Chemical/biological attack 
. Arson (fire that results in loss of life) 
. Sniper 


Noor wo Ко 


(This “results list” is continued on page 238.) 


Bomb — exterior, interior 


. Violent employee 


. Drive-by shooting 
. Loss of wastewater 


. Armed robbery that results in loss of life 


230 


PART TWO 


Table 13.10 Estimation of Consequence Level for Undesired Events 


or interior 





Consequences of Undesired Events 


easure of Consequence | Consequence Severity 


Undesired Event | Type Value |By Type By Event 
H/M/L H/M/L 
Bomb - exterior | Building High 
i i collapse 


Security Medium 
incident 
impact- 
—— 
— 








Hazardous 
material 
incident 








Enter 
highest 
consequence 


incident 
impact- 
reputation 


Enter 
highest 


consequence 





Demonstration of the Process 231 


Table 13.10 (continued) 


Consequences of Undesired Events 


(Measure of Consequence | Consequence Severity 


Undesired Event By Event 


Chem/bio Building Low 
incident collapse 
Economic loss | High 





H/M/L 





Downtime Medium 





Security Medium 
incident 

impact- 

reputation 





Enter 
highest 


H 
consequence 





Downtime High 


Arson (large Building Medium 
fire) collapse 
Economic loss | High 





Security Medium 
incident 

impact- 

reputation 





Enter 


highest 
consequence 











(continued overleaf) 


232 


Table 13.10 


Sniper 


Violent 
employee 





PART TWO 


(continued) 


Consequences of Undesired Events 


easure of Consequence 






Consequence Severity 





Undesired Event | Type 


Building 
collapse 


By Type 
H/M/L 





By Event 
H/M/L 





Economic loss 


Downtime 





Security 
incident 
impact- 
reputation 





Low 
Medium 


Medium 


Enter 
highest 
consequence 


H 





Downtime 


Lo 
Lo 


Ш 
Ш 
Ш 





Security 
incident 
impact- 
reputation 





Enter 
highest 
consequence 








Demonstration of the Process 233 


Table 13.10 (continued) 


Consequences of Undesired Events 
(Measure of Consequence | Consequence Severity 


Undesired Event By Event 


H/M/L 
Armed robbery | Building Low 
with casualties | collapse 
Economic loss | Medium 


Downtime Low 











Security High 
incident 

impact- 

reputation 





Enter 


highest 
consequence 





Downtime Low 





Security High 
incident 

impact- 

reputation 





Enter 


highest 
consequence 











Drive-by Building Low 
shooting collapse 
Economic loss | Medium 


(continued overleaf) 


234 


PART TWO 


Table 13.10 (continued) 


Loss of 
wastewater 


Destruction of 
building 





Undesired Event | Type 






Consequences of Undesired Events 


easure of Consequence 


Consequence Severity 





Building 
collapse 





By Type By Event 
H/M/L H/M/L 





Economic loss 


Downtime 





Security 
incident 
impact- 
reputation 


Low 
Medium 
Low 





Building 
collapse 


Enter H 
highest 
consequence 





Economic loss 


Downtime 


High 
High 


High 





Security 
incident 
impact- 
reputation 


High 








Enter 
highest 
consequence 





Demonstration of the Process 235 


Table 13.10 (continued) 


Consequences of Undesired Events 
(Measure of Consequence | Consequence Severity 


Undesired Event By Event 


H/M/L 
Loss of power | Building Low 
collapse 
Economic loss | Medium 


Downtime 











Low 
Security Low 
incident 
impact- 
reputation 





Enter 


highest 
consequence 





Downtime Low 





Security Medium 
incident 

impact- 

reputation 





Enter 


highest 
consequence 











Cyber-attack - | Building Low 
business IT collapse 
system 

Economic loss | Medium 


(continued overleaf) 


236 


Table 13.10 


Undesired Event 


Sabotage of 
equipment 


Cyber- 
attack — process 
control system 





PART TWO 


(continued) 


Consequences of Undesired Events 


easure of Consequence 






Consequence Severity 





Type 


Building 
collapse 


By Type 





By Event 





Economic loss 


Downtime 


Low 
Medium 





Security 
incident 
impact- 
reputation 


Medium 
Medium 





collapse 


highest 
consequence 





Economic loss 


Downtime 


Low 
Medium 





Security 
incident 
impact- 
reputation 


Medium 
Medium 





highest 
consequence 








Demonstration of the Process 237 


Table 13.10 (continued) 


Consequences of Undesired Events 


(Measure of Consequence | Consequence Severity 


Undesired Event By Event 





Bomb threat Building 
collapse 





Economic loss 


Downtime 





Security 
incident 
impact- 
reputation 





highest 
consequence 


Building 
collapse 





Economic loss 


Downtime 





Security 
incident 
impact- 
reputation 





highest 
consequence 











238 PART TWO 
Medium: 


1. Sabotage of equipment (partial loss of operations) 
2. Loss of power 

3. Cyber-attack on business IT system 

4. Cyber-attack on production process control system 


Low: 


1. Tagging 
2. Bomb threat 


13.9 PRIORITIZATION ANALYSIS 


Tables 13.11 through 13.14 consider the likelihood of attack in 
conjunction with the consequence values associated with the unde- 
sired events for the terrorist, the criminal, the extremist, and the 
gang threat, respectively. 

Undesired Events for Analysis — Based on the tables above, 
the undesired events for each threat were prioritized. Those unde- 
sired events that were associated with Medium or higher likelihood 
of attack and Medium or higher consequence values for a given 
threat were selected for further analysis. 


Terrorist Threat 


e Sniper 

e Bomb 

e Chemical/biological attack 

e Arson 

e Cyber-attack — mission, theft 


239 


Demonstration of the Process 








рооҷцпәут] Ч8їН 


942 – әе}}е-ләд^с) 
UOTSSTUL 


– уезе-3әдҝо 


зәйти$ 

yoeqye 
ГеәтЗототд/Теәтшәҷо) 
quiog 


роочпемут мол 


уволуј (04 
8836], 


рооццәз[гт штгрәр 


qyuowdinbe/surpring 
jo uorjonajseq 
зәмо Јо 8807 
yuourdinbo aseyoqeg 


повгу 

yoeqye 

темејеш ѕпорлеленң 
IO}YEMIISCM JO SSO'T 
Алоддол ропшлу 
sutjooys Aq-aAtiq 


әәпәпбһһәвпогу 
мот 


әәпәпбйәвпогу 
шттрәүү 


әәпәпбәвпог)у 
ЧН 





yeas] SUOMI] JY} 10} BUanbasuos `5л ову }0 рооццәйп LL'EL QEL 


PART TWO 


240 


роочцәут Ч8їН 


woud — Лове 
-лод А) 
UOISSTUL 

– уәете-ләд4ҝо 





pooo umpan роочцәз[гт мол 


yeory} quiog 
SUIdSB I, 


ламод Јо 8807 
упошатпбо oseyoqeg 


лодвмодавм Јо 55071 

зчәшатпрә/витрүтд 

jo чопдоплуво( 

suljooys Aq-eAtiq 

LL ота/шөцу 

лодтис 

увезе 

Кләддол рәшлұ Тетләјеш гпорлехен 
uosIy quiog 


одоопопбовио) 
мот 


әәпәпбәвпог)у 
шттрәүү 


әәпәпбһһәвпогу)у 
ЧН 





yeasY| [PUILUL 4} JOJ BQUaNbasUOd “sa ҳоецу јо рооццадт ZL"EL AGEL 


241 


Demonstration of the Process 


рооццәз[гт чн 


yearyy quiog 





poog шптрәрү роочтәз[гт лхо 


SUISSE, 


you} — yor} e-10qA9 
UOISSTUL 

— ўәе}уе-ләч^с) 
ламод Јо 8807 
yuourdinbo oseyoqeg 


ледвмодввм јо 55071 
Алоддол рошлу 
uosIy 
1чәшатпрә/дитрүтд 
}0 чотуәпл}вә(] 
8шдооу5 Адј-олтл 
LL ота/шөцу 
ләйтис 

увезе 

Тетләјеш гпорлехен 
quiog 


әәпәпбәвпог)у 
мот 


әәпәпбһһәвпогу)у 


шттрәрү 


әәпәпбйәвпогу 
ЧЗІН 





вәл 351шәдхэ әд 10у әоиәпрәѕиоо '5л рту у јо рооццојт EL'EL QEL 


PART TWO 


242 


рооцпомгј 4stH 


sutjooys Aq-eALiq 





рооццәз[гт штгрәрү poor MoT 


yeoryy quiog 
yous — ҳәезе-ләдҝо 
UOISSTUL 

— yoeqje-1eqhg 
зәмо Јо 8807 
yuowidinbe oseyoqeg 


ледвмодввм јо 55071 

1чәшатпрә/дитрүтд 

ў0 чотуәпл}вә(] 

LL ота/шәцу 

зәйти$ 

увезе 

Кләддол рәшлұ Тетләјеш гпорлехен 
џоѕлу quiog 


уводу] Зиво) ду] 10ј озиопбозиођ '5л JILYY 4O pooyljay!] PL'EL ејдеј 


оопопровзиод) 
мот 


әәпәпбһһәвпогу 
шитрәї 


aouenbesuo) 
ЧН 





Demonstration of the Process 243 


Criminal Threat 


e Arson 
e Armed robbery 
e Cyber-attack — mission, theft 


Extremist Threat 
e None 
Gang 


e Drive-by shooting 
e Arson 
e Armed robbery 


Table 13.15 summarizes the results of the prioritization analy- 
sis, especially the undesired events that were judged to have 
Medium or higher consequences and Medium or higher likelihood 
of attack for one or more adversary groups. Next, protection sys- 
tem effectiveness will be assessed for preventing these undesired 
events. 


13.10 PROTECTION SYSTEM EFFECTIVENESS 


The third parameter in assessing security risk, system ineffective- 
ness (1 — Pg), can be derived from a security system effectiveness 
assessment. Security system ineffectiveness (adversary success) 
and security system effectiveness (Pg) are complementary func- 
tions. If security system effectiveness is High, then security system 
ineffectiveness (adversary success) is judged to be Low. The risk 


PART TWO 


244 


px | oof x |+) | == 


иотѕѕтрү 
«ләддоҹ | – 42037ү | – форну | / SPIT НИ LORY 51005 
рәшгу -19840 | soujsaq | иовл у | још угон | 01g / Way) |quog| Xqg-aa1qg |4adiug 


ѕіѕКјеиуу 204 ѕјџәл рәлѕәриг PAZAUOUd GL'EL 21qeL 





Demonstration of the Process 245 


assessment process will evaluate security system effectiveness in 
order to estimate system ineffectiveness (adversary success). 

For most applications, a security system is made up of physical 
protection features and cyber-protection features. Some undesired 
events can be accomplished by a physical attack on the facil- 
ity while others can be accomplished by a cyber-attack on the 
system. A total security system should address both physical 
and cyber-attacks, as appropriate. A complete system effective- 
ness assessment will include a physical protection analysis and 
cyber-protection analysis. 


13.10.1 Physical Protection System Effectiveness 


An effective physical protection system (PPS) must be able to detect 
the adversary early enough and delay the adversary long enough 
for the security response force to arrive and neutralize the adver- 
sary before the mission is accomplished. In particular, an effective 
PPS provides effective detection, delay, and response. These phys- 
ical system functions (detection, delay, and response) must be 
integrated to ensure that the adversarial threat is neutralized 
before the mission is accomplished. 

Adversary Sequence Diagrams (ASDs) were used to estimate pro- 
tection system effectiveness for the threats and undesired events 
derived previously. For some of the undesired events, such as the 
exterior bomb, drive-by shooting, and sniper cases, the adversary 
does not really interact with the physical protection system of the 
facility and an ASD was not developed for these events. The ASD 
is a graphical representation of physical protection elements along 
paths that adversaries can follow to accomplish their objective. For 
a specific physical protection system and threat, the most vulner- 
able path can be determined. This path with the least physical 
protection system effectiveness establishes the effectiveness of the 
total physical protection system. An ASD is developed for a single 
critical asset associated with a specific undesired event. 


246 PART TWO 


The analyses were run with a range of security response force 
times from 0 seconds to 180 seconds. Operating Conditions 1 and 
2 were considered for the analysis. Condition 1 was the production 
hours when building operations were under way. Condition 2 
described operating conditions during the nonproduction hours of 
the day or week. Emergency conditions (fire alarm) and shipments 
were evaluated as a part of Condition 1. 


Offsite Attacks — Exterior Bomb (Terrorist Threat), Sniper, Drive-By 
Shooting 


Exterior Bomb (terrorist threat): 


This undesired event could be accomplished by a vehicle bomb 
detonated outside the building. The vehicle bomb is assumed to be 
a vehicle carrying approximately 500 pounds of TNT-equivalent 
explosives. The targets are vehicle locations adjacent to the build- 
ing. Results address the estimated success of the adversary to 
drive a vehicle carrying explosives near the building or park the 
vehicle adjacent to the building and detonate the explosives before 
the incident could be interrupted. System effectiveness for this 
scenario is judged to be low because public vehicles are allowed to 
park adjacent to the building. A second type of result describes the 
damage or consequence that is incurred if the adversary is success- 
ful in detonating the explosives. The latter results are presented 
in the blast effects Section 13.10.3. 


Sniper (Terrorist Threat) and Drive-By Shooting (Gang Threat): 


For these undesired events, the human target could be any 
employee — a production worker, a security officer, or a building 
occupant who happens to be outside the building. The north and 
east sides of the building are exposed to neighboring buildings that 
could harbor a sniper. Traffic on adjacent streets to the building 
is moderate. The security system does not affect such scenarios. 
Because employees are outside the building at regular times, the 


Demonstration of the Process 247 


system effectiveness values for these scenarios are judged to be at 
the Low level. 


Armed Robbery (Criminal Threat, Gang Threat) 

Several possible targets of armed robbery exist at the building. 
Vaults are located on several floors including the basement. For 
this analysis, Vault L was used for the target because it is known to 
occasionally have a shipment quantity of material and because of 
its proximity to the shipping/receiving door. Insider collusion could 
provide adversaries with information about shipment days and 
times. Further, during shipments, the shipping/receiving door and 
the vault door could be open at the same time. It is assumed that 
a security officer is posted at the shipping/receiving door during 
shipments. The ASD for the vault is shown in Figure 13.11. 

Adversary Scenario: Adversaries climb over or bridge fence, 
traverse to shipping/receiving door that is open during a shipment, 
neutralize security officer, enter building and vault, pack up assets, 
and exit the same way that they entered. 

A major system vulnerability exists for the detection system in 
alarm display and assessment operations. This weakness affects 
numerous adversary scenarios. The main sources of detection 
on the perimeter are the camera surveillance and the security 
force — no exterior sensors are present. Poor lighting and camera 
output result in poor images on the monitors for the security officer 
in the Control Center. In addition, it is not possible for the secu- 
rity officers in the Control Center to effectively watch 20 or more 
monitors to detect an anomaly. The video replay for the alarm 
system was not timely enough to be effective. The security force 
cannot provide reliable detection because they are normally in an 
unprotected position, and they do not all have a duress signaling 
capability. 


248 


PART TWO 


Adversary Sequence Diagram 


Vault — Ground Attack 














































































































































































































Figure 13.11 


ASD for Vault L — Ground Attack. 


Off-Site 
GAT1 САТ2 || рем || РЕМ 
А А А 
Protected Area 1 
GAT3 FEN3 
A Protected Area 2 
I 
PER1 PER2 WND РЕРЗ SHD1 SUR1 
С С С С С 
B Courtyard 
PER4 РЕВ5 SHD2 SUR2 
Building Interior 
DOR SUR3 
Target Area — Vault L 
GAT1 Personnel vehicle gate 
GAT2 Shipment vehicle gate 
FEN1 Outer fence of isolation zone 
FEN2 North side fence 
GAT3 South gate on masonry wall 
FEN3 Masonry wall 
PER1 Personnel entrance 
PER2 Sallyport doors to courtyard 
WND First floor windows 
PER3 South emergency exits 
SHD1 Shipping door 
SUR1 Exterior walls 
PER4 NW emergency exit in courtyard 
РЕР5 NE emergency exit in courtyard 
SHD2 Shipping door in courtyard 
SUR2 Building walls from courtyard 
DOR Door into L vault 
SUR3 Wall into L vault 





Demonstration of the Process 249 


Discussion: For Condition 1, the system effectiveness was judged 
to be Low because of deficiencies in the detection and delay func- 
tions. Because of the deficiencies in the detection system discussed 
earlier and the lack of delay time with the doors open, system 
effectiveness is judged to be very Low. 

Discussion: For Condition 2, it was assumed that the ship- 
ping/receiving door and vault doors were both closed and locked. 
The lack of an effective intrusion detection system caused the 
system effectiveness to be Low. 


Courtyard Attacks — Plant Interior Bomb (Terrorist Threat), Arson 
(Terrorist, Criminal, Gang Threats), Chem/Bio Agents in Air 
Intake (Terrorist Threat) 


Several of the undesired events for the building can be accom- 
plished by accessing the courtyard. These undesired events could 
result in loss of mission, loss of valuable property, and loss of 
human lives. 

A bomb planted in the building interior (in the courtyard) 
could cause major destruction. Blast effects are described in 
Section 13.10.38. The northeast corner of the facility is critical 
because of the location of the boilers and the utilities — gas, electri- 
cal, and water. Both safety (explosion) and loss of mission issues 
are a great concern. 

One of the fresh-air intakes for the building is located in the 
courtyard; the other is located on the roof of the building. The unde- 
sired event of causing casualties or illness by a chemical/biological 
agent introduced into the air system was not completely addressed 
in this analysis. The ability of the adversaries to reach the air 
intake vent before being interrupted by the security force has 
been addressed. It is feasible that an aerosolized canister of a 
chemical agent could be dispersed into the air intake vent. If this 
undesired event becomes a concern, a consequence analysis should 
be completed. This analysis would address a spectrum of chemi- 
cal agents and concentrations, various methods and locations of 


250 PART TWO 


Adversary Sequence Diagram 
Courtyard — Ground Attack 





Off-Site 


ВАТА | | САТ2 || рем || РЕМ 
А А А 


Protected Area 1 




































































A Protected Area 2 























B Target Area — Courtyard 





GAT1i Personnel vehicle gate 
GAT2 Shipment vehicle gate 

FEN Outer fence of isolation zone 
FEN North side fence 

GAT South gate on masonry wall 
FEN Masonry wall 

PER Sallyport doors (portal) 


Figure 13.12 ASD for Courtyard — Ground Attack. 


introducing agents into the HVAC system, the human physical 
responses to the agents, and a thorough characterization of the 
HVAC system. 

The ASD for these adversary scenarios is shown in Figure 13.12. 

Adversary Scenario: Adversaries climb over or bridge the fence, 
enter the courtyard via the sallyport doors, complete their task. 
It is assumed that the adversaries are successful if they can 
complete the task at the target before local law enforcement 
arrives. 

Discussion: The physical protection system effectiveness was 
judged to be Low because of deficiencies in the detection and 
delay functions. General deficiencies in the detection function were 
discussed earlier. Only a single locked door controls access into the 
courtyard. This does not provide sufficient delay to the adversary 
for the security response force to arrive. 


Demonstration of the Process 251 


Information System — Physical Attack 


Loss or compromise of the information system can occur via a cyber- 
attack or by a physical attack, especially to the Control Center. 
The Control Center is located on the first floor of the building and 
contains the control equipment for both the business IT system 
and the production process control system. Security system alarms 
are also annunciated in the Control Center and operators can use 
a hard-wired telephone to local law enforcement in the event of 
a security incident. Admittance into the room is controlled by a 
cipher lock. Only personnel authorized to be in the room are given 
the combination. Because of the dual-business system and process 
control operations, at least two operators are on duty at all times. 
The ASD for the Control Center is provided in Figure 13.13. 

Adversary Scenario: Adversaries climb over or bridge fence, 
traverse to building door that is open by use, neutralize security 
officer, enter building, and proceed to Control Center. They enter 
the Control Center door by force and damage/destroy Control 
Center equipment. The cyber (electronic) scenario will be addressed 
later. 

Discussion: For Condition 1, the system effectiveness was judged 
to be Low because of deficiencies in the detection and delay func- 
tions. Because of the deficiencies in the detection system discussed 
earlier and the lack of delay time with the doors open, system 
effectiveness is judged to be very Low. 

Discussion: For Condition 2, it was assumed that the building 
doors were closed and locked. The lack of an effective intrusion 
detection system caused the system effectiveness to be Low. 


Insider 


An insider employee becoming violent or deciding to damage or 
destroy is extremely difficult to predict. Background investigations 
may or may not be valuable in predicting such an outcome. If an 
employee decides to become violent, he or she could injure or kill 


252 PART TWO 


Adversary Sequence Diagram 
Control Center — Ground Attack 





Off-Site 



































































































































GAT1 || GAT2 || Fen | | FEN2 
A A A 
Protected Area 1 
GAT3 | FEN3 
A Protected Area 2 
1 
РЕВ1 | РЕВ2 | | мо | [ PER3| | SHD1] |50Р1 
С С С С С 
B Courtyard 
PER4 РЕВ5 SHD2 SUR2 
С Building Interior 
DOR SUR3 























Target Area — Control Center 








САТ! Personnel vehicle gate 

GAT2 Shipment vehicle gate 

FEN1 Outer fence of isolation zone 

FEN2 North side fence 

GAT3 South gate on masonry wall 

FEN3 Masonry wall 

PER1 Personnel entrance (portal) 

PER2 Sallyport doors to courtyard (portal) 
WND First floor windows 

PER3 South emergency exits (portal) 

SHD1 Shipping door 

SUR1 Exterior walls 

PER4 NW emergency exit in courtyard (portal) 
PERS NE emergency exit in courtyard (portal) 
SHD2 Shipping door in courtyard 

SUR2 Building walls from courtyard 

DOR Door into Control Center 

SUR3 Wall into Control Center 


Figure 13.13 ASD for Control Center. 


Demonstration of the Process 253 


coworkers, damage or destroy mission-critical equipment, or cause 
mass destruction and death with a bomb planted inside the facility. 

Adversary Scenario: All three of the undesired events described 
above for the insider adversary threat require common tactics. 
Three possible avenues exist for the insider to accomplish the 
undesired events: 


e Contraband (weapon, flammables, explosives) brought in 
through the personnel entrance 

e Contraband (weapon, flammables, explosives) brought in 
through other routes 

e Contraband (tools, hazardous materials) exists or could be 
covertly constructed into weapon or bomb on-site 


Scenario A. The insider adversary would attempt to bring in 
the contraband (tools, weapon, flammables, explosives) that he or 
she planned to use to accomplish the goal. It was assumed that 
the system effectiveness against this scenario was based on the 
probability of detection of the contraband. If the adversary were 
detected, he would give up or be neutralized by the security officers 
at the personnel entrance. The probability of detection was based 
on the detection of metal guns or tools. The probability of detection 
of a gun was estimated to be High for the metal detector and 
package x-ray machine for employees in the production/support 
and business/administration categories and Low for members of 


the security force who can bypass the screening process. 


Business/administration 





254 PART TWO 


Scenario B. The insider adversary would attempt to bring in 
the contraband (tools, weapon, flammables, explosives) that he 
planned to use to accomplish his goal through other than normal 
routes. One way might be to arrange to have the contraband hidden 
in normal supplies that enter the site at either the courtyard dock 
or the shipping door. The assumptions made are that all incoming 
supplies are thoroughly inspected for contraband. Further, it was 
assumed that the inner sallyport door was strictly monitored when 
open to ensure that someone could not enter, thereby bypassing the 
screening point, or use this route to retrieve contraband stashed 
outside the screening point and bring it into the courtyard. The 
system effectiveness estimate against this scenario was based on 
the probability of detection of the contraband. If the adversary 
were detected, he would give up or be neutralized. 


Insider Scenario B 
Production/support 


Business/administration 
Security officer 


Scenario C. The insider adversary would acquire or construct a 





weapon, flammable, or bomb inside the production area to accom- 
plish his goal. It was assumed that the system effectiveness against 
this scenario was based on the likelihood of detection of adver- 
sary action by personnel. Two categories of insiders would not be 
expected to routinely be in the production areas. 


Insider Scenario C 
Production/support 


Business/administration 
Security officer 





Demonstration of the Process 255 


Insider — Theft of Critical Assets (Physical) 


For this undesired event, two adversary scenarios were 
considered. 


1. Adversary obtains critical asset, plants them in waste or 
recycling, and retrieves them later. All materials taken to 
the courtyard as waste or recycling should be screened. 

2. Adversary activates fire alarm, takes critical asset out 
during evacuation, and stows them for later retrieval. 
Even though procedures call for security officer to mon- 
itor employees during evacuation to the east side of the 
building, the insider adversary could arrive at the holding 
area before the security force and either stow the stolen 
item(s) for later retrieval or throw it (them) over the fence. 


Because there are no definitive protection features to detect, 
delay, or respond to the production/support insider, the physi- 
cal protection system effectiveness level was judged to be Low 
for both scenarios. The other two categories of insiders, busi- 
ness/administration and security officer are not expected to have 
access to the production areas or vaults where finished critical 
assets would be located. 


Summary of Physical Protection System Effectiveness 


Table 13.16 summarizes the effectiveness levels of the physical 
protection system for the adversaries/scenarios. 

So far the focus has been on physical protection system effec- 
tiveness assessment. A valuable product of assessing system 
effectiveness is the identification of specific vulnerabilities of the 
protection system. If the security system effectiveness is judged to 
be Low, specific weaknesses and the associated deficient protection 
elements causing the Low level are site-specific system vulnera- 
bilities. Knowledge of site-specific vulnerabilities is valuable for 


PART TWO 


256 


шод 

JO Youy — јерт5иј 
quroq — лортвиј 
ydbe ‘qes – ләртѕи 
әәиәтүотл – ләріѕи] 
50400 Aq-aAliq 


Кләддол рәшлұ 


`%арә ләдә 
– уезде [eorshyg 


уде} ота/шәцу) 
лотлојш – (од 


лотлодхо – јод 


гизаг раллзари/) 


чаао о UO01JDAJSIUIU PW quoddngs 
«12026 /ssauisng / чопопрола | биро | ]юитша1лгу | 1514оллә], Кловагару 











чартвиј 








шој5ло зипогра 10ј зооџолцзоца шој5ло иопзајола [eIISAY 40 ешшпо [є әде 


Demonstration of the Process 257 


planning system upgrades to reduce risk and for contingency plan- 
ning to know where to place reinforcement protection during times 
of elevated threat conditions. 

The protection system for the building demonstrated Low pro- 
tection effectiveness for the terrorist, criminal, gang, and insider 
threats. An effective security system demonstrates a High per- 
formance level for the detection, delay, and response functions. 
The protection system for the building demonstrated weaknesses 
in all three functions. A major system vulnerability exists for the 
detection system in alarm display and assessment operations. This 
weakness dominated numerous adversary scenarios. The main 
sources of detection on the perimeter are the camera surveillance 
and the security force. (No exterior sensors are present.) Poor light- 
ing and camera output result in poor images on the monitors for 
the security officer in the Control Center. It is unrealistic to expect 
the security officer in the Control Center to effectively watch 20 or 
more monitors to detect an abnormality. The video replay for the 
alarm system was not timely enough to be effective. Detection of 
the insider removing valuable items from the building was suspect 
for some scenarios. System delay was marginal, at best, for some 
scenarios because critical doors were open and the security force 
was not in hardened (protected) positions. Response effectiveness 
was Low because response times were too long in most cases. 

The northeast corner of the building is an area of great con- 
cern. Most of the utilities — water, gas, electrical power, including 
backup — for the facility could be cut off from this area. An explosion 
in the boiler room might destroy much of the building, including 
critical production areas. Hazardous material tanks are located 
nearby. It is important to keep adversaries out of this area. 

Multiple vulnerable paths were found for each undesired event, 
and many of the vulnerable paths had common elements. The 
common elements are described below. 


258 PART TWO 


Detection 


e No detection due to lack of sensors, means of assessment, 
overload in Control Center 

e No CCTV coverage for some door alarms 

e No sensors for roof landings or traversals 

e Security force used for detection, but some lack body armor, 
protected positions, duress capability 

e Trees on perimeter challenge assessment capability 

e Lack of screening of insiders during evacuations 

e Lack of detection of insider removal of critical assets from 
building for specific scenarios 


Delay 


e Doors open (shipping door and vault during shipments, 
production rooms) 

e Critical utilities and storage of hazardous materials are 
street-accessible and unprotected (power generators, hydro- 
gen, nitrogen) 

e Buildings near fence allow for bridging 


Response 


e Lack duress capability for all officers 

e Lack backup communication 

e Lack body armor and protected positions (especially shipping 
dock) 


Quicker response time required for some scenarios 


Cyber-Protection System Effectiveness 


Much like an effective PPS that demonstrates High performance 
for the three functions of detection, delay, and response and the 


Demonstration of the Process 259 


integration of these functions, an effective cyber-protection sys- 
tem demonstrates High performance for three basic cyber-security 
functions and their integration. These functions are used to ensure 
the properties of confidentiality, integrity, and availability of data. 
Confidentiality requires that information not be made available to 
unauthorized individuals, entities, or processes. Integrity requires 
that information not be altered or destroyed in an unauthorized 
manner. Availability requires that information be accessible and 
usable on demand by an authorized entity. The three cyber- 
protection functions are: 


e Authentication 
e Authorization 
e Audit 


Authentication, authorization, and audit must be performed at 
a high level and must be integrated. The authentication and 
authorization strategies both provide data to the audit capability 
where it is analyzed for evidence of malicious activity. 


Cyber-Attack — Loss of Mission / Theft of Assets (Terrorist, Criminal, 
Insider Threats) 


Various scenarios exist for cyber-attacks on the business IT system 
to cause loss of mission or loss of proprietary information or attacks 
on the process control system to cause loss of mission. Figure 13.14 
pictures the architecture for the information system for the build- 
ing. The information system has a two-level network, consisting of 
the system network and the corporate network. The corporate net- 
work controls the business IT system and the production process 
control system. 

Because the business IT system and the production process 
control system are configured and protected identically, the 


260 PART TWO 


Electronic Security 
Perimeter 






Information System 





Secondary 
Electronic Security 


Corporate Network н 
Perimeter 







Process Control 






Business System Electronic 
system Security Perimeter 
Noncritical Cyber-Assets 


б© Critical Cyber-Assets 





Figure 13.14 Building Information System Architecture. 


cyber-path-diagram featured in Figure 13.15 is appropriate for 
critical cyber-assets in either system. 


Scenarios: 


Outsider threat — The outsider threat uses the Internet to 
attempt to gain access to the electronic security perimeter sys- 
tem of the information system, the secondary electronic security 
perimeter of the corporate network, and either the business IT 
system or the production process control system to reach the crit- 
ical cyber-asset(s) to cause loss of mission or loss of proprietary 
information. 

Insider threat — The insider threat uses his or her individual 
authorized access level to access the corporate network and either 
the business IT system or the production process control system 


Demonstration of the Process 261 


Electronic Access Points 
Dial-Up | кеш Control Center Alternate Software 
Мадет Access Point Access Point 


Electronic Security boundary (Perimeter) 


Noncritical Cyber-Asset Other Communication 
Communication Line(s) Line(s) 
Secondary Electronic Security Boundary (Corporate Network) 


Noncritical Cyber-Asset Other Communication 
Communication Line(s) Line(s) 


System Electronic Security Boundary (Process Control or Business System) 
Noncritical Cyber-Asset Other Communication 
Communication Line(s) Line(s) 








Application 





Critical Cyber-Asset 


Figure 13.15 Cyber-Path-Diagram for Critical Cyber-Assets in Business 
IT System or Production Process Control System. 


to cause disruption in mission or loss of proprietary information. 
Three categories of insider positions were analyzed: 


e Production/support or business/administration position 

e Computer system administrator position for either the busi- 
ness IT system or the production process control system 

e Security officer position 


Table 13.17 summarizes the building’s protection features for the 
cyber-functions: authentication, authorization, audit, and integra- 
tion. 


262 


PART TWO 


Table 13.17 Cyber-system Protection Features 


Integration 
Passwords — All employees Intrusion Firewall at 
user-defined, and contractors | detection system | electronic 
no system have access to at perimeter security 
requirements information electronic perimeter 

system. boundary (information 
system 
All business/ Scanners boundary) 


administration 


staff are on Virus protection | Firewall at 
access list for secondary 
business IT Access control electronic 
system. monitoring security 
boundary 
All production/ | Random traffic (corporate 
support staff data review network) 


are on access 
list for 
production 
Process control 
system. 


Computer 
system 
administrators 
have access to 
all systems and 
all assets. 





No encryption 





For the outsider threat, the cyber-protection-system effective- 
ness for causing loss of mission by attacking the business IT system 
or the production process control system or causing loss of sensi- 
tive information by attacking the business IT system was judged 
to be at the Low level of effectiveness. The minimum value of the 


Demonstration of the Process 263 


assessments for the authentication, authorization, audit, and inte- 
gration functions defined the overall cyber-protection effectiveness 
level. Authentication was judged to be Low effectiveness because of 
the weak passwords; authorization was judged to be of Low effec- 
tiveness because of the coarse groupings in the access lists; audit 
was judged to be of High effectiveness; integration was judged to 
be of Medium effectiveness because the systems have firewalls but 
no encryption features. 

For the insider threat categories, the computer system admin- 
istrator position posed the greatest threat to the cyber-system 
because of the authorized access to systems. Cyber-protection- 
system effectiveness was judged to be Low for the system admin- 
istrator category; system effectiveness was judged to be Low for 
the production/support or business/administration positions for 
the same reasons listed above for the outsider threat; the secu- 
rity officer position is not authorized to access the information 
system. 


Summary of Cyber-Protection-System Effectiveness 


Table 13.18 summarizes the cyber protection system effectiveness 
assessments for the threat spectrum. 


Table 13.18 Cyber-Protection-System Effectiveness Assessments 


Loss of Loss of Sensitive 
5 I B н 


| Terrorist = 


пр == 


Business/administration or Low Low 
production/support employee 

Computer system Low Low 
administrator 





264 PART TWO 


The site-specific vulnerabilities for the cyber protection system 
include: 


Authentication 


e Weak passwords (user sets own) 
e Only single-factor authentication into critical asset areas 


Authorization 


e Access list groupings too coarse (too many categories given 
access to systems) 

e No protection or restrictions for computer system adminis- 
trator access 


Audit 
e Data reviews could be done more often 
Integration 


e No encryption features 
e No firewalls to separate business and process control sys- 
tems 


13.10.2 Analysis of Blast Effects 
Existing Building Configuration 


The building is a steel-frame structure with thick concrete bearing- 
wall panels securely mounted to the structure to form the exterior 
envelope. The four corners of the building are supported by 
the main steel and concrete-covered columns that are the key 


Demonstration of the Process 265 


structural elements of the building. All of the steel floor beams are 
connected to these columns, but some of the floor slabs are poured 
in place or precast and are freely resting on these beams. These 
floor slabs do not support any upward loads that would be caused 
by an explosive airblast. The columns are tied together through 
the floor beam array and by additional diagonal steel elements on 
selected floors to minimize any potential twisting caused by wind 
and earthquake loads. These four composite building columns are 
also embedded in deeply buried concrete pier foundations that are 
supported by competent bedrock. However, any severe damage 
to any one of the four columns, especially at or just above the 
basement or the first floor level, will weaken the structure and 
result in progressive building collapse and major disruption to the 
numerous interior and exterior utility systems, including electric 
power, water-wastewater, gases (nitrogen and hydrogen), HVAC, 
and communications. 

The steel roof beams help support the roofs open-web steel 
joists. The roof consists of a metal deck, lightweight-insulating 
concrete, and a built-up roof system. The mechanical and electrical 
equipment penthouse area, located on the surface of the roof, is 
a constructed medium-sized steel-stud-framed building with steel 
roof joists. Radio and microwave antenna and communication 
systems are also mounted on the roof deck. Access doors and utility 
penetrations on the roof are provided for enhanced lighting on the 
twelfth floor, utilities, and for personnel access during operations 
and maintenance periods. 

The exterior wall consists of a variety of cementitious materials, 
including reinforced concrete panels, granite sills, insulation, and 
interior drywall or plaster walls. The exterior is pierced with 
a variety of different-sized windows that cover almost 40% of 
the exterior facade. The windows are steel framed, and single 
paned, quarter-inch-thick glass with sunscreens in some areas. 
The windows are inset slightly for sun shading. The ceilings are 


266 PART TWO 


lay-in acoustical tile material for all the administrative floors 
and lightweight sheet metal for the manufacturing and other 
nonadministrative working areas. 

The building is designed with a main core surrounding the open 
courtyard at the first floor. The main movement of occupants is 
located at the entrance to the building and in the lobby that allows 
access to the manufacturing floors and to the passenger elevators 
near the opening of the courtyard. The courtyard core area also 
provides two emergency stairways that exit toward the northern 
vehicle parking area and driveway at the east side of the building. 
A utility shaft is also located adjacent to the open courtyard for elec- 
tric and communication cables, security systems, and HVAC ducts. 


Adversary Attack Scenario 


Although the building site perimeter permits the placement of a 
vehicle bomb anywhere around its fence-line/curb-line, at varying 
standoff distances from the building, the most likely target location 
that would create significant damage is the southeastern corner of 
the building. Here, the minimal standoff distance is 25 feet, and 
one of the building’s critical steel-concrete composite columns is 
fully exposed to a potential explosive attack. In practice, the blast 
analysis required by a risk assessment process can be performed by 
obtaining professional judgment from a panel of experts, by apply- 
ing blast curves and engineering tables of blast loadings to this 
building, or by completing a computer-based finite-element analy- 
sis of the detailed structure-blast interaction. For this example, it 
is assumed that a vehicle carrying 500 pounds (TNT-equivalent) of 
bulk explosives will be placed within 25 feet of the building column 
and detonated before the security force can neutralize the attack. 
The adversary will develop the scenario to achieve the most 
damage and the most destructive impact on the owners and coun- 
try. Before an attack, the adversary will most likely review the 
drawings and examine the target of the attack for details that 


Demonstration of the Process 267 


will ensure success and maximum destruction. Therefore, the pre- 
dicted extent of structural and collateral effects and damage and 
the estimated human casualties for this scenario must be based 
on technical experience, professional background knowledge, and 
on actual data from experiments and explosive tests that have 
been conducted by numerous government and private agencies in 
the past. This knowledge base is readily available to those who 
have the need to know, and the information can be applied to most 
scenarios determined to be the largest risks to the owner and to 
the building operation. For example, extensive data is available 
from reports of actual attacks at U.S.-occupied buildings, including 
the military buildings in Beirut and Saudi Arabia; the bombing 
of the foundation in the parking area of the World Trade Center 
towers; the attacks on U.S. embassies in Africa; and the attack at 
the federal building in Oklahoma City. The information accumu- 
lated by our country and other countries is useful in understanding 
the behavior of buildings under explosive loadings and in estimat- 
ing the extent of destruction and loss of lives that would result. 
A structural and blast engineer with the appropriate knowledge 
and background can provide a good approximation of the con- 
sequences that will be experienced from an explosive attack on 
a building. 


Estimated Consequences 


The ATF table indicates that 500 pounds of explosives in the trunk 
of a vehicle will cause lethality at up to 100 feet away. Therefore, 
the explosion alone is estimated to cause fatalities to more than 
100 building occupants, depending on their locations inside the 
building at the time of the explosion. The building exterior concrete 
envelope will provide some protection to its occupants; however, 
all of the windows on the south and east side of the building 
will be shattered, and the debris from the broken glass and flying 
construction materials will impact many of the occupants who 
are occupying the southeast corner of the building. The airblast 


268 PART TWO 


will penetrate the building through the window openings, and the 
dynamic pressures alone can be fatal or seriously damage lungs, 
eyes, ear drums, and much of the human body. The pressure and 
impulse of the air blast has also been known to push human 
bodies for significant distances and against interior walls. Medical 
problems will be experienced for many who survive, including 
stress to the heart and other tissues, broken limbs and fractures, 
and the like. An estimated 150 building occupant injuries can 
be expected with this scenario. The dust and fumes that would 
emanate from the building explosion would also cause inhalation 
problems to building occupants and the surrounding neighborhood 
and possible delayed explosions from the trapped gases in the 
rubble. 

The southeastern corner of the structure would fail completely, 
and the corner would most likely collapse progressively after the 
critical column is first fractured and weakened and then ruptured 
by the vertical loads that are transferred on the column from 
the upper remaining structure. This progressive collapse event 
would destroy a major portion of the building and impact all 
occupants who are in the vicinity and possibly survived the air 
blast. An estimated 50 additional occupants will be casualties from 
the collapsing building. This building would be destroyed beyond 
repair as the interior and exterior assets will be damaged and 
cannot be salvaged for future repairs. The cost of a new building is 
estimated to be $200M, and the damage to the high-value products 
and raw materials is estimated to be another $50M. The loss of 
revenue during the 18-month period while another building is 
built on the same site is estimated to be another $300M, unless a 
temporary location can be rented in the interim period. The overall 
consequences are considered High from a 500-pound explosive 
attack described above, from the loss of lives and injuries, loss of 
revenue, loss of property value, loss of continuity of operations, and 
loss of credibility within the employee and customer base. 


Demonstration of the Process 269 


13.11. ESTIMATION OF RISK 


Security risk is a function of the likelihood of attack, consequence 
of successful attack, and security system ineffectiveness. To esti- 
mate relative security risk, the qualitative estimates for likelihood 
of attack, system ineffectiveness, and consequence are logically 
combined. A simple method, based on expert judgment, for com- 
bining the three risk parameters to estimate security risk can 
be used. Table 13.19 summarizes the results of the security risk 
assessment. 


13.11.1 Risk Summary 


Medium or higher risk levels were estimated for the terrorist, 
criminal, gang, and insider threats for several undesired events at 
the building. High risk describes incidents that are likely to occur, 
have relatively High consequence, and against which the security 
system cannot adequately protect. Specifically, for the building, the 
threats and associated undesired events posing Medium or higher 
security risk level are: 


Terrorists 


e Sniper 

e Bomb (exterior and interior) 

e Chem/bio attack 

e Cyber attack (loss of mission or theft of information) 


Criminals 


e Armed robbery 
e Arson 
e Cyber-attack (loss of mission or theft of information) 


PART TWO 


270 


(јргјагао рапитиод) 





чозолуѕтитшрү 
шав «о 


ла | 


ANANI 








UONDASIUNUPY 
/ssauisng 





quoddng 
јиопопроа 








а оза воа о |за аа о заа о |а аон оаа а оа таа оаа 


ѕјәләј ұиәшѕѕәѕѕүу 4SIy AUNDAS = LEL AIGUL 


271 


Demonstration of the Process 


н |у ләдКә 
н |у үеотвАца 
Не Си 
ЈО 5807 
WIW ләдКә 
| WIN Teotskyd 
:819558 
oyut jo 
PL 

















ло]юд;втитшрү ио1олуѕтитшру a 
wajskg «патога /ssauisng / модопрола 





(рәпиђиоэ) 6LEL aqeL 


272 PART TWO 


Gang Members 


e Drive-by shooting 
e Armed robbery 
e Arson 


Insiders 


e Violent insider — production/support, security force 

e Bomb — production/support, security force 

e Loss of mission by cyber-attack — system administrator, pro- 
duction/support 

e Loss of information by cyber-attack — system administrator, 
production/support, and business/administration 


Estimated risk levels are compared to a predetermined risk thresh- 
old to decide whether further analysis is required. The threshold is 
determined by the analysis team and the security risk managers. 
The analysis team together with management decided that the 
threshold risk value for the corporation is Medium. 


13.12 RISK REDUCTION STRATEGIES 


If the estimated baseline risk level for the threat spectrum is 
judged to be above the established threshold (too High), risk reduc- 
tion strategies for the system may be considered. Risk reduction 
strategies focus on reducing the levels of the parameters of the 
security risk equation: likelihood of attack, system ineffectiveness, 
and consequence. In practice, risk reduction is made most success- 
ful by improving protection system effectiveness and mitigating 
consequences. 

Risk Reduction Upgrades — Security system planners must 
address how to reduce security risk. Planners might consider 
adding features to increase physical or cyber-protection system 


Demonstration of the Process 273 


effectiveness and/or to reduce or mitigate consequences. Site- 
specific vulnerabilities identified in the system effectiveness anal- 
ysis provide guidance for adding/modifying features. Upgrades to 
the system might include retrofits, additional safeguard features, 
or additional safety mitigation features. Consequence analysis 
and system effectiveness analysis should then be repeated for the 
upgraded system in order to estimate a risk level associated with 
the upgraded system. If the estimated risk for the upgraded system 
is below the threshold, the upgrade is completed. If the risk is still 
above the threshold, the upgrade process should be repeated until 
the risk level is judged to be below the threshold. 

After reviewing the adversary scenarios estimated to be High 
risk to the building, an upgrade package to the physical protec- 
tion system was suggested. High risk scenarios were estimated 
for the terrorist, criminal, gang, and insider threats, first. Specific 
upgrades were selected to increase security system effectiveness 
(reduce adversary success). The upgrades range from procedu- 
ral changes and elimination of activities to hardware additions. 
Whereas general upgrades were expected to affect all scenarios, 
some upgrades were suggested for specific threats, such as terrorist 
bomb, insider, or gang drive-by shooting. 


13.12.11. Physical Protection System Upgrades 


A significant vulnerability in the current or base security system 
for the example building is the detection system. An upgrade to the 
system must include an upgrade to the Control Center. A perime- 
ter intrusion detection system would allow security officers in the 
Control Center to receive, assess, and (video) record alarms and 
be able to communicate to local law enforcement. Sallyport doors 
into the courtyard should be closed, locked, and alarmed, and the 
entrance should be controlled by a personnel identification system 
that incorporates checking credentials and biometric identifiers. 
The perimeter intrusion detection system would include intrusion 


274 PART TWO 


sensors, alarm communication, lights, and CCTV assessment capa- 
bility with supervised lines and tamper protection for hardware. All 
exterior doors (dock, roof, emergency exits, personnel entrances) 
should be hardened (3-inch steel plate, if possible) and equipped 
with penetration and position sensors with CCTV assessment. In 
addition, the shipping/receiving doors should be hardened, locked, 
and alarmed and have CCTV assessment capability except during 
a shipment. During a shipment, a dedicated security officer in a 
protected structure should monitor all activity through the door. 
An additional protected officer should be positioned near the open 
vault during shipments. 

Security officers would benefit from protected positions or struc- 
tures, body armor, and duress signaling capability. Local law 
enforcement response times must be reduced. In addition, the 
response force must be of sufficient number to neutralize the 
adversary threat; arrival one at a time would not be as effective. 

The physical security system upgrades are summarized below. 


Control Center 


e Access control-credential, biometric identifier 
e Alarm communication and display upgrade 


Intrusion Detection System 


e Supervised lines 
e Tamper-indicating devices 
Perimeter (sensors, alarm communication, lighting, CCTV 


assessment) 

e Exterior doors including roof, shipping, emergency exits, 
and sallyport entrances, plus asset-control interior doors, 
hardened ( 3-inch steel plate added, if possible), penetration 
sensors, door switches, CCTV assessment, dedicated and 


Demonstration of the Process 275 


protected security officer positions when shipping and vault 
doors open 
e Sensors and cameras to cover roof 


Security Officers 
e Protected (hardened positions) 
e Duress signaling capability/communication 
e Body armor 


Terrorist Bomb Scenarios 


e Close adjacent streets to vehicles or restrict curbside parking 
(may not be feasible) 


Insider 


e Compartmentalized work areas (close, lock, alarm, and con- 
trol access to work areas by badge reader and password) 

e Secure passwords 

Control of on-site items, such as tools that could be used to 


harm, destroy, or make explosive items 
e Extensive background check, higher standard for employ- 
ment, scheduled updates 
Emergency evacuation — screen for metal, evacuate to secure 
holding area 
e All employees pass through contraband detection screening 


Wastewater, Power Generators, Fresh-Air Intake 


e Hardened barrier covers 
e Backup sources 
e Lock and alarm doors to sallyport 


276 


PART TWO 


13.12.2 Result of Physical Protection System 


Upgrades were suggested for adversary scenarios estimated to 
be High risk for the example building. The system effectiveness 
values and risk values estimated for the upgrades, collectively, 
are given and compared to the baseline physical security system 
in Figure 13.16. The risk associated with some of the scenarios 
would be reduced with the increase in physical protection system 
effectiveness bought about by the implementation of features of 


Upgrades 


the upgrade package. 





Adversary: 


Undesired 
event: 
Sniper 


Terrorist | Criminal | Gang 


Insider 





Production 
/support 


Low|Low 





Bomb- 
exterior 





Low|Low 





Bomb- 
interior 





Low|High 





Chem./Bio. 
attack 





Low|High 





Arson 


Low|High | Low|High 





Physical 
attack —cyber 
eqpt. 


Low|High | Low|High 





Armed 
robbery 


Low|High | Low|High 








Drive-by 
shooting 





Low|Low 








Insider - 
violence 


Business 
/administration 





Security Officer 





Low|Low 





Insider - sab. 
eqpt 


High 


Low|Low 





Low|Low 





Insider - 
bomb 


High 


Low|Low 





Low|High 





Insider - theft 
of item 





High 


Low|High 





Low|High 











N/A 





N/A 








Condition 1|Condition 2 


Figure 13.16 Physical Protection System Effectiveness for 


Upgraded Package vs. Baseline System. 


Demonstration of the Process 277 


Exterior Bomb 


Closing adjacent streets is deemed to be infeasible in the case for 
the example building. The building is still vulnerable to a vehicle 
bomb attack on the north side. No change in physical protection 
system effectiveness or risk level is expected. 


Sniper, Drive-By Shooting 


Inevitably, even with the provisions of the upgrade package, there 
are still times that employees/personnel will be outside the building 
structure and susceptible to a sniper or drive-by shooting incident. 
No change in physical protection system effectiveness or risk level 
is expected. 


Armed Robbery 


Condition 1 -— for this scenario, the adversary climbs or bridges 
the fence, traverses the area to the shipping/receiving door that 
is open for shipments and manned by a security officer, enters 
the open building, travels to open vault, packs up finished product 
assets, and exits the same way as entrance. Condition 2 — same 
scenario except building doors and vault doors are closed and 
locked. Figure 13.17 summarizes the estimation of protection sys- 
tem effectiveness for the upgraded system. System effectiveness 
was judged to be Low for the baseline system, Low for Condition 
1, and High for Condition 2 if law enforcement can respond within 
180 seconds. 


Interior Bomb, Arson, Chemical / Biological Attack in the Courtyard 


Condition 1 — for this scenario, the adversary climbs or bridges the 
fence, traverses the area and enters via the sallyport doors, enters 
the courtyard, sets explosives, and retreats. Condition 2 — same 
scenario. Figure 13.18 summarizes the estimation of protection 


278 PART TWO 





System Features | FEN2 PA2 SHD1(C) | Bldg Int DOR Task 


Detection H H H H 
Effectiveness 


























Delay (s.) Cond 1/2 10 7(500) o | 30 10(700) | 0 | 180 120 
А Detection Effectiveness value (maximum High 

Value) 

B Response Effectiveness Value High 

С Sum of delays (including and after first H or 147 5. 357 5. 

D 

E 

















second M for detection) Condition 1/2 
Response force time 180 5. 
Compare C to D: С<р C>D 
LifC<D 
MifC~D 
HifC>D 
SUMMARY OF SYSTEM EFFECTIVENESS | Cond. 1 - Low | Cond. 2 - High 
(minimum of A, B, and E) 





























Figure 13.17 Scenario Analysis for Armed Robbery. 





















































System Features FEN(A) PA 2 PER Courtyard Task 
Detection H H H 
Effectiveness 
Delay (s.) Cond 1&2* 10 7(500) 30 15(1000) 180 

A Detection Effectiveness Value (maximum High 

Value) 
B Response Effectiveness Value High 
С Sum of delays (including and after first H or 242 s. 
second M for detection) Condition1 & 2* 
D Response force time 180 s. 
E Compare C to D: C>D 
LifC<D 
MifC~D 
HifC>D 
SUMMARY OF SYSTEM EFFECTIVENESS Both Conditions - High 
(minimum of A, B, and E) 








Figure 13.18 Scenario Analysis for Attacks in Courtyard. 


system effectiveness for the upgraded system. System effectiveness 
was judged to be Low for the baseline system, and High for both 
Conditions 1 and 2 if law enforcement can respond within 180 
seconds. 


Demonstration of the Process 279 



























































System Features | FEN2 | PA2 SHD1 (C) Bldg Int | CC DOR Task 
Detection H H H H 
Effectiveness 
Delay (s.) Cond 1/2 10 7(50') 0 30 20(150') 30 180 

A Detection Effectiveness Value (maximum High 
Value) 
B Response Effectiveness Value High 
С Sum of delays (including and after first H or 247 s. 277 8. 
second M for detection) Condition 1/2 
D Response force time 180 5. 
Е Compare C to О: C>D C>D 
LifC<D 
MifC~D 
HifC>D 
SUMMARY OF SYSTEM EFFECTIVENESS | Cond. 1-High Cond. 2- High 
(minimum of A, B, and E) 











Figure 13.19 Scenario Analysis for Control Center Attack. 


Information System Physical Attack at Control Center 


Condition 1 -— for this scenario, the adversary climbs or bridges 
the fence, traverses the area and enters the building via open 
shipment doors, travels to the Control Center, defeats the door, 
enters the Control Center, sets explosives, and retreats. Condition 
2—same scenario, except that the building doors are closed and 
locked. Figure 13.19 summarizes the estimation of protection sys- 
tem effectiveness for the upgraded system. System effectiveness 
was judged to be Low for the baseline system; and High for both 
Conditions 1 and 2 if law enforcement can respond within 180 
seconds. 


Insider — Violence and Sabotage of Equipment 


Scenario A or B (insider adversary attempts to carry in contraband 
or insider adversary attempts to bring in the contraband via alter- 
nate routes) — the upgrade procedure that requires all personnel to 
pass through contraband detection process together with screening 
all incoming materials results in High protection system effective- 
ness for all insider categories. For Scenario C (insider adversary 


280 PART TWO 


acquires or constructs weapon, flammable, or bomb inside the pro- 
duction area) — training personnel to detect unusual behavior and 
the elimination of materials and equipment that could be made 
into a weapon is not expected to significantly increase protection 
system effectiveness. 


Insider — Bomb or Theft of Item 


Because of the upgrade package requirement for all personnel to be 
screened for contraband on entry and exit, the physical protection 
system effectiveness is judged to be High for preventing the insider 
from bringing in a bomb or removing a valuable product. 


Conclusion 


Because physical protection system upgrades cannot prevent all 
identified undesired events from occurring except in cases in which 
law enforcement must arrive in such a short time that they almost 
have to be located on-site, the upgrade package should also include 
consequence mitigation schemes in order to reduce the security 
risk. 


13.12.3 Cyber-Protection System Upgrades 


Authentication 


e Implement strong passwords 
e Add two-factor authentication 


Authorization 


e Compartmentalize authorized access to business IT network 
and production process control network 

e Compartmentalize authorized access for computer system 
administrators 


Demonstration of the Process 281 


Audit 
e More frequent review of traffic data 
Integration 


e Add firewalls to business system and process control system 
electronic security perimeters 

e Encrypt all communications into and within business system 
and process control system 


13.12.4 Results of Cyber-Protection System 
Upgrades 


The addition of the cyber-protection system upgrades is expected 
to significantly enhance the effectiveness to the High level. 


Loss of Mission /Theft of Information 


Outsider threat — The additions of stronger authentication, autho- 
rization, audit, and integration features are expected to make it 
significantly more difficult to cause loss of mission or impact the 
business IT system to cause loss of proprietary information. 

Insider threat — The addition of stronger authentication, autho- 
rization, audit, and integration features are expected provide better 
protection against the system administrator position to be ability 
to cause loss of mission or impact the business IT system to cause 
loss of proprietary information. 


13.12.5 Consequence Mitigation Upgrades 


One of the most extensive and costly consequence mitigation 
upgrades that has been applied to buildings is for structural hard- 
ening against a bulk explosive charge delivered in a vehicle by a 
terrorist. If this scenario is in fact deemed to have a High likelihood 


282 PART TWO 


of attack at a particular building, the most effective measure to 
apply is the additional standoff distance to the building’s key struc- 
tural members, such as a column. This is usually possible if the 
building is situated in a rural area and there is sufficient acreage to 
allow for a vehicle barrier system at 100 to 200 feet away from the 
building. This additional standoff distance is usually achieved by 
using vehicle-arresting cable attached to rigid post at the building 
site perimeter; installing bollards, planters, and/or rigid walls to 
arrest vehicles, or by increasing the height of the curb sufficiently. 
Each of these barriers in its own way will act as an anti-ram device 
and prevent adversarial vehicles from getting any closer to the 
building. The effects of an explosive charge attack are significantly 
diminished with distance away from a designated target. 

The minimal distance from the curb to the building is 25 feet 
in this example, and there are no means currently for preventing 
a vehicle with explosives from ramming through the fence and 
traveling up against the building columns at the south corners. 
Therefore, one of the first hardening measures is to ensure the 
maximum standoff distance is maintained. The streets around the 
east and west sides of the building must be closed to any vehicular 
traffic. The south side has 50 feet of set-back (standoff), but this 
distance is insufficient to protect the building from a 500-pound 
charge. In interest of maintaining these set-backs from the fence, 
a vehicle-arresting cable well mounted to the fence posts will 
assure that a large amount of bulk explosives cannot be placed 
near the building. The north side of the building has 150 feet of 
set-back that extends to the site perimeter of the parking area. 
This set-back appreciably reduces the effects of the 500-pound 
charge; windows will shatter and some damage to the facade 
will be noticed. However, installing the arresting cable along this 
site perimeter will be of benefit by providing an assured ram-free 
boundary along the entire fence line. To further protect the building 
from the effects of blast, soil-rock berms can be constructed within 


Demonstration of the Process 283 


the fenced area and the building itself. These soil berms up to 6 
feet high will act as backup vehicular barriers and blast mitigation 
at the lower floors. The cost for the arresting cable installation 
on the existing fence, including along any of the gates to the site, 
and building soil berms with the property site, is estimated to be 
$0.5M. 

The other consequence mitigation upgrade to be considered is 
hardening the structure so that progressive collapse of the building 
is not expected. The most common means for structural hardening 
is wrapping a carbon fiber embedded in resin plastic around the 
column and on the wall surfaces up to about the third or fourth 
floors from the ground. In addition, the columns will need to be 
reinforced with cross braces to the floor beams up to about the 
fourth or fifth floors, on all corners of the building, to allow for 
load transfer in the event of a column collapse nearest to the 
explosive charge. These techniques must be evaluated using blast- 
structural analysis methods to verify that potential collapse will be 
averted and that the damage to the remaining structural systems 
is considered minimal with these upgrades. The cost of these 
structural hardening measures is estimated at $5M, including the 
costs of some operational downtime during the construction of 
these upgrades. 

The windows on the first four exposed floors would also require 
some hardening measures, such as film application to minimize 
chards and fragments from impacting the occupants. This upgrade 
technique is used; however, the security enhancement is still ques- 
tionable because of the potential for the entire glass pane to act 
as a projectile that impacts building occupants. Alternatively, the 
glazing on the first four exposed floors can also be replaced with a 
more blast-resistant glass, such as a laminated glass, and adding 
anchor-frame-mullion upgrades, where needed. The estimated cost 
for replacement glazing is about $1.5M. 


284 PART TWO 


13.12.6 Summary 


These consequence mitigation upgrades will reduce the risk from 
High to Medium. The loss of life because the building will not 
collapse is reduced from 150 to less than 50, and injuries from 
falling objects and flying glass and debris will be reduced from 
150 to less than 50. The cost for restoring the building and its 
interior equipment will be reduced from $200M replacement cost 
to $50M repair costs. The loss of high-value products and inven- 
tories will be reduced from $50M to $5M primarily because the 
vault will remain intact. The loss of revenue will be reduced 
from $300M to $50M because the repair time will be less than 
6 months compared with 18 months for total building replace- 
ment. The total cost for consequence mitigation was estimated 
at $7M. The savings is projected to be $445M ($150M, $45M, 
$250M for building repairs, loss of high-value inventory, and loss 
of revenue, respectively). One hundred building occupant lives 
saved and 100 reduced occupant injuries indicate the magnitude 
of risk reduction possible from the building hardening measures 
described. 

These risk reduction factors do not include the benefits that 
would be derived from the enhanced public and customer confi- 
dence and occupant comfort from knowing that upgrade measures 
would provide added protection in the event of a deliberate explo- 
sive attack. The insurance premiums might be reduced in the 
longer term if the upgrades are evaluated through appropriate 
negotiations regarding the potential for reduced liabilities and 
lawsuits. The neighboring community might believe in the reduc- 
tion in target attractiveness and thereby consider itself much 
safer without the burden of the looming threat. The cost of 
the upgrades could be amortized in a selected number of years 
and the return on the investment might then be appreciably 
higher. 


Demonstration of the Process 285 


13.13. IMPACT ANALYSIS 


Impact Analysis— Once the system upgrade has been deter- 
mined, it is important to evaluate the impacts of the risk reduction 
on the mission of the facility and the cost. If system upgrades put 
a heavy burden on normal operation, a trade-off would have to be 
considered between risk and operations. Budget can be the driver 
in implementing security upgrades. A trade-off between risk and 
total cost may have to be considered. The assessed level of risk 
and the upgrade impact on cost, mission, and schedule is valuable 
information to security risk managers. Figure 13.20 describes the 
expected impacts of implementing the proposed upgrade package. 


13.13.1 Impacts of Upgrade Package 


The upgrade package is assessed to have: 


e No negative impact on security risk level; in fact, security 
risk is reduced by the upgrade package. See Table 13.20. 


Negative Impact 














Т 
Risk Cost Operations Acceptability 


Figure 13.20 Expected Negative Impacts of Upgrade 
Package. 


(јргјагао рапитиод) 


T 


(1 1 


Кләддол 
рәшгү 


мовује 
н | о/шәчу 


үр 
о 


PART TWO 


TH H 
J0119}U1 
лотлојхо 
ТТЕ Т ЕК КЕК Г [к [ин [эв 
ajoa p asao a a o aa a ааа а оаа о нај 


чоуолувтитшрү 1220 иотолатитиру quoddng бирр ppuru 18140443], Клрвадару 
шә]8&© “уыпәәў /ssouisng ј иопопролат 


әЗеҗәоеа әре;8ап әці 4 рәрғоуу џиопозпром 54 /јип2ос pue 51у UNIS оипозра ј0 иозивашо 081, әјаер 























286 


287 


Demonstration of the Process 


WIN|W| WH TW|W| TH ти Te |н|ти|и| пн TW|W| TH TW|W| TH лодко 
WINWN|W| WH TW|W| TH ти пїн |н|ти|и| пн TW|W| TH TNA] тін Теотѕца 
SUOTSSTUL 

Jo sso 

ИШИ || ИН TIH ти тн |н (чии тін ти |х| тін ти |! тін ладко 
ИПИ | И | ин TIH ти тн |н {чии тін ти (| тін ти (| тін Геотѕќца 
1539556 

"оу Јо зјәці], 


шә} ЈО 
|__| __________ „ал ли ооа 
quoq 
Aeee an [afael a efet oo | 


pfe x fefe o paa o pee a a 
ша18 Ка Apan /ssouisng ј иопопроа 


(pənunuo2) оёр әче 




















288 PART TWO 


e High negative impact on cost. Addition of physical, cyber-, 
and blast effects protection magnify construction, mainte- 
nance, and operation costs. 

e Low negative impact on operations and acceptability by per- 
sonnel. Upgrade package is not expected to impact day-to- 
day activities and so is expected to be accepted by personnel. 


13.13.2 Impacts of Consequence Mitigation Package 


The most significant impact for these blast consequence mitiga- 
tion measures would be the investment cost for the approved 
upgrades. There would also be some impact on the security opera- 
tions regarding the arresting cable at the entry gates, and periodic 
inspections required along the fence-line that would better ensure 
adequate anti-ram performance throughout its life expectancy. The 
soil berms adjacent to the building might obscure the visibility from 
inside the building basement. The impact of construction modifi- 
cations to the occupants and to the operations would be noticeable 
but minimal because most of the work will be on the main building 
structure and specifically along the exterior walls. 


13.14 PRESENTATION TO MANAGEMENT 


The final step in the risk assessment process is the preparation 
of a presentation package for the risk managers and stakeholders. 
This material is usually presented in a briefing, which affords deci- 
sion makers the opportunity to request clarification or additional 
data and ask any questions about the assessment, including its 
assumptions, conclusions, recommendations, and supporting data. 

The presentation generally includes the threat description, the 
security risk estimates for the baseline system, descriptions of any 
risk reduction packages, and the results of the impact analysis for 
the risk reduction package(s). By comparison to the baseline risk 
levels, managers are able to understand what the upgrade package 


Demonstration of the Process 289 


is buying them in risk reduction as well as other potential impacts. 
The total presentation package provides invaluable information 
for risk management decision makers. 


13.14.1 Threat Description 


The threat for this building is presented in Tables 13.3 through 
E-8, the summary tables that show the threat information and 
analyses performed for the building. Depending on the level of 
detail required by the management and stakeholders for whom the 
presentation is prepared, this may be adequate. Table 13.3 lists the 
five types of adversaries considered for the building — terrorist out- 
siders who may be colluding with an insider, an insider, criminals, 
extremists, and a gang, and describes the numbers of individuals 
associated with each group; the equipment, vehicles, and weapons 
available to each group; and the tactics employed by the group. 
These characteristics serve to define and distinguish the poten- 
tial adversaries. Tables 13.4 through E-8 specify the likelihood 
of attack by each of these five types of adversaries by matching 
such threat characteristics as capability, historical and current 
interests, previous attacks, current surveillance and documented 
threats, consequences, and ideology with specific actions that would 
cause undesired events. The insider threat is approached some- 
what differently, as the insider security threat is defined by access 
to assets, authority, access to the security system, and the oppor- 
tunity for collusion. 


13.14.2 Security Risk Estimates for the Baseline 
System 


Security risk assessment levels (based on the consequences asso- 
ciated with a specific attack, the likelihood of such an attack by a 
potential adversary, and the likelihood of the physical protection 


290 PART TWO 


system at the building failing to prevent this attack) for the 
building security events considered in this risk assessment are 
summarized in Table 13.18. Again, the insider threat is considered 
somewhat differently, as the severity of the threat is variable for 
insider threats (depending on access, authority, and opportunity) 
and thus the security risk is variable. Table 13.18 shows the secu- 
rity risk variability of the insider threat by summarizing different 
positions. 


13.14.3. Risk Reduction Packages 


For the baseline security risk levels considered too High — that 
is, above the specified threshold established for this risk assess- 
ment —a risk reduction package was prepared. Risk reduction 
strategies focus on reducing one or more parameter of the security 
risk equation: likelihood of attack, security system ineffectiveness 
against that attack, and the consequences of a successful attack. 


13.14.3.1 Reducing the Likelihood of Attack 


It is unlikely the building would be able to affect the many char- 
acteristics of the adversary, with the possible exception of ease of 
attack. Even if the building security decision makers were able to 
reduce the ease of attack, how would it be measured? And would 
this reduction be sufficient to reduce the overall security risk? 
In practice, security risk reduction is very difficult to achieve by 
reducing the likelihood of attack. 


13.14.3.2 Reducing Security System Ineffectiveness 


Upgrade packages for the physical protection system and the cyber- 
protection system were developed to reduce the security risk of the 
building. The physical security system upgrades are summarized 
below: 


Demonstration of the Process 291 
Control Center 


e Access control — credential, biometric identifier 
e Alarm communication and display upgrade 


Intrusion Detection System 


Supervised lines 


e Tamper-indicating devices 

e Perimeter (sensors, alarm communication, lighting, CCTV 
assessment) 

Exterior doors, including roof, shipping, emergency exits, 


and sallyport entrances, plus asset-control interior doors, 
hardened (3-inch steel plate added, if possible), penetration 
sensors, door switches, CCTV assessment, dedicated and 
protected security officer positions when shipping and vault 
doors open 

e Sensors and cameras to cover roof 


Security Officers 


e Protected (hardened positions) 
e Duress signaling capability/communication 
e Body armor 


Terrorist Bomb Scenarios 


e Close adjacent streets to vehicles or restrict curbside parking 
(may be infeasible) 


Insider 


e Compartmentalized work areas (close, lock, alarm, and con- 
trol access to work areas by badge reader and password) 
e Secure passwords 


292 PART TWO 


e Control of on-site items, such as tools that could be used to 
harm, destroy, or make explosive items 

e Extensive background check, higher standard for employ- 
ment, scheduled updates 

e Emergency evacuation — screen for metal, evacuate to secure 
holding area 

e All employee pass through contraband detection screening 


Wastewater, Power Generators, Fresh-Air Intake 


e Hardened barrier covers 
e Backup sources 
e Lock and alarm doors to sallyport 


In addition to the bricks-and-mortar security upgrades, the pro- 
tection of the data and proprietary information in the building’s 
cyber-system should also be improved. Upgrades to the cyber- 
protection system include: 


Authentication 


e Implement strong passwords 
e Add two-factor authentication 


Authorization 
e Compartmentalize authorized access to business IT network 
and production process control network 
e Compartmentalize authorized access for computer system 
administrators 


Audit 


e More frequent review of traffic data 


Demonstration of the Process 293 


Integration 


e Add firewalls to business system and process control system 
electronic security perimeters 

e Encrypt all communications into and within business system 
and process control system 


13.14.3.3 Mitigating the Consequences of a Successful Attack 


Consequence mitigation is another very effective way to reduce 
security risk. Increasing the standoff distance and hardening the 
structure can significantly reduce the consequences of a bulk explo- 
sive charge delivered in a vehicle by a terrorist. 

The first recommended mitigation measure is to create the max- 
imum standoff distance. Significant protection would be provided 
if the east and west sides of the building could be closed to any 
vehicular traffic. The south side has 50 feet of set-back (standoff), 
insufficient to protect the building from a 500-pound charge. A 
vehicle-arresting cable well-mounted to the fence posts will assure 
that a large amount of bulk explosives cannot be placed near the 
building. The north side of the building has 150 feet of set-back 
that extends to the site perimeter of the parking area. This set- 
back appreciably reduces the effects of the 500-pound charge; still, 
installing the arresting cable along the entire site perimeter will 
provide an assured ram-free boundary along the fence-line. To fur- 
ther protect the building from the effects of blast, soil-rock berms 
can be constructed within the fenced area. These soil berms, up to 
six feet high, act as backup vehicular barriers and provide blast 
mitigation to the lower floors. 

The next consequence mitigation recommendation is hardening 
the structure so that the progressive collapse of the building is not 
expected. Wrapping the columns with a carbon fiber embedded in 
resin plastic and applying this material to the wall surfaces up 
to about the third or fourth floors will dramatically diminish the 


294 PART TWO 


likelihood of collapse. The columns should be reinforced with cross 
braces to the floor beams up to about the fourth or fifth floors, on 
all corners of the building, to allow for load transfer. 

The windows on the first four exposed floors also require harden- 
ing measures. The recommendation is to replace the existing glass 
with a more blast-resistant glass, such as a laminated glass, and 
to include anchor-frame-mullion upgrades where needed. 

These consequence mitigation upgrades will reduce the conse- 
quence level associated with a vehicle bomb from High to Medium. 
The loss of life because the building will not collapse is reduced 
from 150 to less than 50. Injuries from falling objects and flying 
glass and debris also will be reduced from 150 to less than 50. The 
cost for restoring the building and its interior equipment will be 
reduced from $200M replacement cost to $50M repair costs. 


13.14.4 Impact Analysis for Risk Reduction Package 


The upgrade package is assessed to have: 


e No negative impact on security risk level; in fact, security 
risk is reduced by the upgrade package. 

High negative impact on cost. The cost for the arresting 
cable installation on the existing fence and gates to the 
site and building soil berms is estimated to be $0.5M. The 
cost of wrapping columns and walls to harden the structure 
is estimated at $5M. The estimated cost for replacement 
glazing is about $1.5M. Addition of physical, cyber-, and 
blast effects protection magnify construction, maintenance, 


and operation costs. 

e Low negative impact on operations and acceptability by 
personnel. The upgrade package is not expected to have 
much impact on day-to-day activities and so is expected to 
be accepted by personnel. 


Demonstration of the Process 295 


13.15 RISK MANAGEMENT DECISIONS 


Building owners, stakeholders, and security risk managers have 
the risk assessment information package to help them make dif- 
ficult security decisions. Many options are available. The purpose 
of the security risk assessment is to provide the decision makers 
with the data and analyses required to make an informed decision. 
Risk managers can decide to: 


e Accept the security risk level of the baseline system, if the 
consequences do not exceed the threshold of acceptability. 
A risk manager might select this option when the conse- 
quences of an attack or undesired event are less costly in 
some way than preventing the attack or mitigating the 
result. In this case, 150 deaths are unacceptable. 

e Buy more insurance to offset the costs of High consequences 
should an adversary attack successfully. If the consequences 
are less than devastating, this could be a cheaper way to 
manage risk. However, in this case, the consequence of 150 
deaths is devastating. 

e Implement the recommended risk reduction packages. Risk 
can be reduced by increasing protection system effectiveness 
and/or by mitigating consequences. Consequence mitigation 
usually involves people, procedures, policies, training, and 
equipment. Consequence mitigation is an appealing choice 
for a building or facility because generally it is a more 
affordable approach for reducing risks than buying physical 
protection technologies. In this case, the risk managers opted 
to implement a combination of consequence mitigation and 
improved protection system effectiveness. 

e Ask the analysis team for additional analyses or clarifica- 
tion. Management did request clarification of the team on a 
number of issues. The analysts were able to satisfy the risk 


296 PART TWO 


managers’ information needs using the already collected 

data and existing analyses. 
e Provide contingency measures for security risks that cannot 
be covered at all times, but can be implemented during 
periods of heightened threat conditions. Management will 
improve evacuation plans and develop responses to alerts 
that will minimize injuries and deaths. For example, if 
adjacent streets cannot be permanently closed to traffic, 
they could be closed during High threat conditions. 
Establish a threat-level description that describes a subset 
of the site-specific threat that can be protected against right 
now, with plans for addressing the higher-level threats as 


resources permit. In this case, the upgrades to the phys- 
ical protection system can be accomplished more quickly 
than the consequence mitigation features of installing the 
perimeter cables, adding berms, wrapping the columns and 
walls, and reglazing the windows. 


While a formal decision has not yet been reached, the managers 
are discussing upgrading the physical protection and the cyber- 
protections systems immediately, developing contingency plans 
and training the employees in following them in the short term, 
and budgeting for the incremental hardening of the facility over 
the next three fiscal years. 

Deciding the appropriate response to an identified risk is the 
province of risk managers. The key to a successful decision is in 
knowingly determining a risk level that is acceptable, given the 
available resources, rather than unwitting acceptance of an exist- 
ing amorphous risk. The purpose of the security risk assessment 
is to provide the decision makers with the information required to 
make successful decisions. 


Appendix А 


Generic Fault Tree for Buildings 


NOTES ON FAULT TREES 


Fault Tree Analysis — An analytical technique, whereby an unde- 
sired state of the system is specified (usually a state that is critical 
from a safety or security standpoint), and the system is then ana- 
lyzed in the context of its environment and operation to find all 
credible ways in which the undesired event can occur. 

Fault Tree — A diagram that graphically and logically depicts the 
interrelationships of elementary events that lead to an undesired 
event (called the “top event” of the fault tree). 

Completeness — key to building a good fault tree is completeness. 
Completeness is achieved by: 


e Careful definition of each event (fault) 

e Taking small steps in logic 

e Being exhaustive at each step 

e Considering faults within this “subsystem” 

e Considering faults in other subsystems that supply or oth- 
erwise support this subsystem 

e Considering events external to the system that can cause 
faults in this subsystem 


Security Risk Assessment and Management: A Professional Practice Guide for Protecting Buildings and Infrastructures 
B. E. Biringer, R. V. Matalucci and S. L. O’Connor © 2007 John Wiley & Sons, Inc. ISBN: 978-0-471-79352-6 


297 


298 PART TWO 


e Being absolutely sure that your definition of subsystems 
does not leave out any part of the system — no matter how 
trivial. 


Top Event — The single event (usually undesired), or fault, for 
which the list of potential causes is sought. 

Intermediate Events — A fault that represents a state that con- 
tributes to the top event but is not itself a failure. This event occurs 
as a result of one or more antecedent causes, and requires further 
development. Intermediate events are represented in fault trees 
by “AND” and “OR” gates (or other logical structures). 

Primary Event — A failure that represents an elementary cause of 
the preceding intermediate event. These events require no further 
development because: 


e Further development may not be possible. 
e Further development may be beyond the scope of the ana- 
lysis. 
e Types of primary events: 
e Basic Event — An elementary cause of component failure. 
e External Event — An external agent acting on the system 
causes a failure within the system. 
e Undeveloped Event — Further development not under- 
taken. 
e Developed Event — Further development of this event 
occurs in some other model — possibly another fault tree 
model. 


SYMBOLS 
Primary Event Symbols: 


О Basic Event (BE) — An initiating fault requiring 


no further development 


Door 


Generic Fault Tree for Buildings 299 


Conditioning Event (CE) — Specific conditions or 
restrictions that apply to any logic gate (used with 
PRIORITY AND gates) 


Undeveloped Event (UE) — An event that is not 
further developed either because it is of insufficient 
consequence or because information is unavailable 


Developed Event (DE) — An event that could be 
further developed or is developed elsewhere but is 
treated here as a primary event 


External Event (EE) — An event that is normally 
expected to occur (usually an event having proba- 
bility of one or zero) 


Gate Symbols: 


DPDD 














“AND” Gate (AG) — Output fault occurs if all of the 
input faults occur 


“OR” Gate (OG) — Output fault occurs if at least 
one of the input faults occurs 


“Exclusive OR” Gate (EOG) -Output fault 
occurs if exactly one of the input faults occurs 


“Priority AND” Gate (PAG) — Output fault occurs 
if all of the input faults occur in a specific sequence 
(the sequence is represented by a CONDITIONING 
EVENT drawn to the right of the gate) 


“Special” Gate (SG) — Output fault occurs accord- 
ing to a logic function defined by the user 


300 


PART TWO 


Miscellaneous Symbols: 














A 


Description — Contains the description of an 
event 


Transfer In — Indicates that the tree is devel- 
oped further at the occurrence of the corre- 
sponding “Transfer Out” (usually on another 
page) 


Transfer Out — Indicates that this portion of 
the tree must be attached at the corresponding 
“Transfer In” 


Generic Fault Tree for Buildings: 








Adversary Causes Disruption of 
Building Mission 











} 


$ 


$ ; $ | 





Disrupt 
Normal 
Work 
Operations 











Compromise 
Structural 
Integrity of 
Building 


Compromise | ; Disable/ 
Health and Disable/ Disable/ Misuse 
Safety of Misuse Misuse Emergency 
Occupants оше; Мо Systems 
































А 


А 


A Disrupt Normal 


А А A A 





Work Operations 














M 


















































+ 5 { = + 
атаде ог P отрготіѕе 
Сотрготіѕе 
В 3 Destroy Health and Safety 
Disable/Misuse Equipment Valuable Item(s) of Occupants 
Information 
System LY A 
А Portable Item or Electronic Item or 














Information Information 





Generic Fault Tree for Buildings 





+ 2 Ү Сотрго! 































































































































































































mise 
Structural Integrity 
of Building 
á Other і 
Ж Exterior 
| Building И Support Elevator 
Columns Foundation Walls т Cross- Banks Stairwells Roof 
amp В 
гасез 
У У У у { { 
Ежепог Interior Emergency 
à ` Load- Load- Tie and Floor Support 
Exterior Interior Bearing Bearing Cross- Beams Beams к Support Walls 
Walls Walls у 
/ 5 \ Compromise Health 
and Safety of 
Occupants 
Violence — 
Sniper, Destroy CBR 
Hostage Building Contaminate 
Situation 
Fire Aircraft Explosion Air Water 



































+ 


+ 











Disable/Misuse 
Physical Utilities 








+ 


Т 


+ 


+ 


+ 


































































































У 
Control хас Waste Electric Compressed 
А Gas А 
Equipment Communications Water Pawar Air Water 
+ У + 
| Commercial] /Emergency UPS Potable | Fire 
Telephone Internet Radio Power Generator с fighting 
Batteries Water 
System System Water 
[Transformer Substation 


Vaults 

















301 


302 


PART TWO 





A Disable/Misuse 
HVAC 














































































































A Disable/Misuse 
Emergency 














* i quipment — | | Ductwork i 
Control Water Electrical Motors, Fans, Air Intakes Exhaust Stawell 
Equipment Chillers Power Compressor System |Pressurization| 
е Етегдепсу 
Commercial Generator 
Off-Site System 
|Air-Cooling Autostart 
Natural Gas| System Panel 



























































































































































Systems 
у l $ у { у 
Disable Fire М | 
Sensors or Destroy Fire Disable Compromise . | Disable 
Smoke fighting Emergency Emergency Disable On-Site Gomirainieations 
Alarms Water Lighting Evacuation Emergency to Emergency 
System Systems ГАХ Communications Response 
Yo A 
Water Pipin Power Water 
Pumps ping Supply 
Damage eo aes Disable Fire- Attack Block 
Safe Preseurization sca У Suppression Staging Evacuation 
Haven(s) System System System Areas Routes 
A Disable/Misuse 
Information System 
| 

Б Disable 

Ек Control 

s teed Center 

у: 








Gain Root 
Access to 
System 


A 
у у у 
Electrical 





[А 


Destroy 
System 











Component 


A 





у 


J 


у 


у 





Software 








From On- 
Site 











From Off- 
Site Power 











Lines 











‘Communication Computer 
Hardware 














Cooling 
Equipment 














Appendix B 


Adversary Sequence Diagrams 


An ASD is constructed for each critical asset included in the 
most-vulnerable strategy. The ASDs are used to model adversary 
paths to the critical asset, to derive the most-vulnerable adversary 
scenarios, and later, to support the reduce risk (system upgrade) 
function. 

The ASD models the physical protection system at a facility. It 
identifies paths that adversaries can follow to accomplish the unde- 
sired event. An ASD can be used to model all possible adversary 
paths through a facility. ASDs for buildings may only have one or 
two layers of protection, but they are helpful tools. They help pre- 
vent overlooking possible adversary paths and, when considering 
protection system upgrades, ASDs help select upgrades that affect 
the most adversary paths and can help to ensure that all adversary 
paths are addressed. For an example, suppose that the undesired 
event is to interrupt or disrupt the information system by attacking 
the control system operations. Figure B-1 shows a sample build- 
ing with two representative physical paths that adversaries might 
take to damage or sabotage the controls (critical asset) inside the 
control room. Cyber-attack scenarios will be addressed in the next 
section. 


Security Risk Assessment and Management: A Professional Practice Guide for Protecting Buildings and Infrastructures 
B. E. Biringer, R. V. Matalucci and S. L. O’Connor © 2007 John Wiley & Sons, Inc. ISBN: 978-0-471-79352-6 


303 


304 PART TWO 


Property Area 





Building Interior 


Control Room 


М. Б санара Раш 2 


Critical Asset 











Figure B.1 Possible Adversary Paths. 


There are three basic steps in creating an ASD for a specific 
building. These include: 


1. Model the facility by separating it into adjacent physical 
areas. 

2. Define the system features between the adjacent areas. 

3. Construct the ASD. 


PHYSICAL AREAS 


The ASD models a facility by separating it into adjacent physical 
areas. Figure B-2 is a facility sketch of the example building. 

Figure B-3 describes the adjacent physical areas of the example 
building. The ASD represents areas by rectangles. 


PATH ELEMENTS AND PROTECTION SYSTEM 
FEATURES 


The ASD models a physical protection system by identifying pro- 
tection layers between the adjacent areas (see Figure B-4). 

Each protection layer consists of a number of system features. 
The types of system features used in an ASD include: 


e DOOR — Doorway 


Adversary Sequence Diagrams 305 


DUCT — Duct 

FENCE - Fence line 

GATE — Gateway (could be pedestrian or vehicle) 
TASK -— Task at critical asset 





Property Area 


Building Interior 


Control 
Room 


ў 


Critical Asset 














Figure B.2 Basic Areas at the 
Example Building. 





Off-Site 
Property Area 
Building Interior 
Control Room 
Critical Asset 























Figure B.3 Adjacent 
Physical Areas for the 
Example Building. 





Off-Site 








Property Area 








Building Interior 
Path Elements — | 








Control Room 














Critical Asset 





Figure B.4 Path Elements between 
Adjacent Areas. 


306 PART TWO 


Off-Site q Physical Areas 






































I 
Property Area Protection 
<“——_~ Layer 





Building Interior 


see |__________ бузјет Ғеаіше 


Control Room 











Critical Asset 
4 Location 


Critical Asset 


Figure B.5 ASD Concept. 























e PORTAL — Series of two barriers with area between (could 
be gates or doors) 

e SURFACE — Could be wall, roof, floor 

e TUNNEL 

e WINDOW 


The basic ASD as it has been developed so far is given in 
Figure B-5. The adversary attempts to sequentially defeat a fea- 
ture in each protection layer as he traverses a path through the 
facility to the critical asset. The ASD represents all of the realistic 
paths that an adversary might take to reach a critical asset. For 
sabotage analysis, only the entry paths would be evaluated, and 
the system features would be assumed to be traversed in only one 
direction. For theft analysis, the ASD shown should be considered 
to be traversed twice — on entry to the critical asset and on exit 
from the critical asset. 

Sometimes it will be necessary to deviate from the orderly 
sequence of physical areas and protection layers of the generic 
ASD in order to create an accurate site-specific ASD. A jump is 
used to model a system feature that does not directly connect to 
the adjacent area. 

Assume, for example, the facility shown in Figure B-6. There is 
a wall common to the building and to the critical asset enclosure. 
This situation is correctly modeled by including a surface jump 
feature from the control building to model this portion of the 


Adversary Sequence Diagrams 307 


Off-Site 
X< x x x xX ~ X 
A Property Area 





Building 





Control Room 
Z Enclosure 


>| Asset 
SURFACE 0 


DOOR ж 





























х x + xX X X x 
Figure B.6 Sample Facility with Jump. 














Off-Site 
[GATE | [FENCE] LAR ] 
R Property Area 1 
[DOOR] [DOOR] [SURFACE] 
Building 
[SURFACE] [DOOR | [SURFACE 


Control Room 


SURFACE [ DOOR | 


Enclosure 

Asset 
Figure B.7 ASD for Sample Facility with 
Jump. 


common surface. As shown in Figure B-7, the ASD then shows 
a direct path that jumps from the building to the critical asset 
enclosure (without passing through the control room) in addition 
to all other selected indirect paths. 


Appendix C 


Physical System Effectiveness 
Worksheets 


ESTIMATING PHYSICAL PROTECTION SYSTEM 
EFFECTIVENESS FOR COMPLEX PROTECTION 
SYSTEMS 


The worksheets in this appendix should be used to estimate detec- 
tion and delay values for path elements of a complex physical 
protection system. 


1. List the path elements associated with the most-vulnerable 
scenario. 

2. Review factors that could contribute to effectiveness in 
Table C.1. 

3. Estimate the Detection function effectiveness by completing 
the appropriate system feature sheets. Use VL for very low, 
L for low, M for medium, H for high, and VH for very high. 
Record the estimates in the second row of the table given 
above. The Detection function includes: 
a. Access control (ID and authorization checks, assessment, 

and communication of alarm) 


Security Risk Assessment and Management: A Professional Practice Guide for Protecting Buildings and Infrastructures 
B. E. Biringer, R. V. Matalucci and S. L. O’Connor © 2007 John Wiley & Sons, Inc. ISBN: 978-0-471-79352-6 


309 


310 


Table C.1 


Site Conditions (terrain, 
vegetation, wildlife, etc.) 


Environmental 
Conditions 

Natural (nighttime, 
inclement weather, etc.) 


Man-made (electromagnetic 
interference, operational 
noise, etc.) 


Performance Conditions 


Installation 


Operation 


Maintenance 
Testing 
Tamper proofing 


Specific Vulnerabilities 


Compensatory Measures 


Inoperable 


Insensitive 


High false alarm rate 


PART TWO 


Effectiveness Factors 


Hardware Personnel 


Training 


Personnel 
Background 
Check 
Motivation 


Physical 
Fitness of 
Personnel 


Alertness 
Skills 
Dedication 


Ability to 
Perform 
Mission 


Coordination 
with other 
security 
personnel (both 
on-site and 


off-site) 


Appropriateness 
of assignment 


Environmental 
conditions 





Operational Procedures 


Appropriateness 


Development of 
contingency plans 


Coordination with local 
law enforcement 


Coordination with 
fire/rescue services 


Review and Revision 
Security planning 


Changes in operations 


Human Interface 


Clarity 
Training 


Operational 


Security 


Frequency of Use 


Rigorous 
Implementation 





Physical System Effectiveness Worksheets 311 


. Contraband detection (sensors for contraband, searches, 


assessment, and communication of alarm) 


. Personnel (security personnel, general observation) 
. Intrusion detection system (sensors, assessment, and 


communication of alarm) 


4, Estimate the delay times associated with each system fea- 
ture by completing the appropriate system feature sheets. 
Delay times will be given in seconds. Record the delay times 
in the third and final row of the table for each system fea- 
ture. The Delay function includes time delays (assuming 
detection has occurred) for: 


а. 
b. Locks 

с. 

d. Task at critical asset to cause undesired event (set up 


Barriers (doors, surfaces, windows, impediments ...) 
Security personnel 


explosives, damage, ...) 


5. Estimate traversal times for the areas between the respec- 
tive system features. Table C.2 provides estimates of traver- 
sal times based on modes of transportation. The times are 
given in seconds and should be listed on the third and final 


row of the table for each area. 


Table C.2. Worksheet for Area Traversal Time 


Estmating Delay Times 


Mode Distance | Rate | Delay Time (s) (Distance 
in Feet Divided by Rate) 

Waking ee 

кайы [вз 


безш [Yaar 
Climbing (up or down) Би 1/58 
Driving (pick up) |  [54ftls 








312 PART TWO 


Table C.3 Response Effectiveness 


Procedures and means to 


Communications System with 
Response Force Provides for 


Radio communications during all 
weather conditions 


communicate with local law 
enforcement 





Rigorous procedures for calling 
off-site response 


Ability to have continuous 
communication during an incident 
related to response force posture 
(i.e., tactics, locations, etc.) 


Ability of control center to 
communicate with off-site response 
by wire and radio 





On-site backup power for radio 
communications 


Ability to authenticate 
communications messages 


Response force: 


Has adequate firepower to delay 
adversaries until backup response 
arrives 


Has sufficient firepower readily 
available to all response force 
members 





Has the capability to covertly signal 
duress to control center 


Has protected fighting positions for 
on-site response force 


[а | M° | H¢ | Justifications / - 








Comments 





Physical System Effectiveness Worksheets 313 


Table C.3 (continued) 

Communications System with L° | M? | H° | Justifications/ - 
Response Force Provides for Comments 

Is large enough in numbers to 

neutralize the threat 


Bas үр 7 


Minimum Value of Response Force 
Effectiveness 


* Low effectiveness: Little evidence of capability. Some effectiveness factors 
not met at all. Some adversary attributes cause severe degradation of 
performance. Little test data available to validate performance 

estimates. 

> Medium effectiveness: Evidence of general, but not specific, capability. 
Some effectiveness factors not rigorously met. Some adversary attributes 
cause important, but not complete, degradation of performance. 

© High effectiveness: Evidence of specific capability of security system to 
address specific concern of questions. All effectiveness factors are rigorously 
met. All adversary attributes are considered in context of defined threat. 
Test data or a specific vendor data validates performance estimates. 





6. Estimate the Response function. Table C.3 provides ques- 
tions to help evaluate the effectiveness of a response by 
local or federal law enforcement officers. Effectiveness 
estimates should be recorded in the summary table below. 
The estimate for the law-enforcement-type response should 
be listed in the summary table below. 

т. Estimate system effectiveness, Pz, the ability of the pro- 
tection system to prevent the undesired event. In general, 
the questions are: Does the system have effective detection, 
delay, and response functions, and does the system detect 
early enough and have enough delay time for the undesired 
event to be interrupted and prevented? The table below 
summarizes this information. 


314 PART TWO 


e The detection entry is the maximum of the values of 
detection effectiveness across the top row of the table 
above. 

e The response value is the summary time value for law 
enforcement. 

e The delay entry is the delay time that occurs after effec- 
tive detection takes place. 

e The delay time will be counted after the first H or M value 
(which ever occurs first in the scenario) for detection. 


A comparison is made: 


a. Ifthe delay time is less than the response time, Pg is low, L. 

b. If the delay time is longer than, but close to the response 
time, Pr is medium, М. 

c. If the delay time is comfortably longer than the response 
time, Pg is high, H. 

d. The estimate of effectiveness of the safety/mitigation fea- 
tures is summarized last. 


НЗ 
в | Response Effectiveness Value 7 
[э [тешз а 


Compare C to D: 


LifC <D 
MifC~D 
HifC>D 


SUMMARY OF SYSTEM EFFECTIVENESS 
(minimum of A, B, and E) 





Physical System Effectiveness Worksheets 315 


SYSTEM FEATURES FOR BUILDINGS 


e DOOR – Doorway 

e DUCT — Duct 

e FENCE - Fenceline 

e GATE – Gateway 

e TASK — Task at critical asset 

e PORTAL — Series of two barriers with area between (could 
be gates, doors, air lock) 

e SURFACE — Could be wall, roof, floor 

e TUNNEL 

e WINDOW 


EXAMPLE 


In Chapter 7, “System Effectiveness,” an example most-vulnerable 
scenario was used to demonstrate the process. The most-vulnerable 
scenario was: The adversary enters the facility via the pedestrian 
gate, crosses the property area and enters the building via the 
personnel door that is unlocked via working hours. The adversary 
then enters the control room via force and destroys the control 
equipment to disrupt the mission of the building. The path ele- 
ments and physical protection features that are associated with 
the most-vulnerable scenario include: 


e Gate (pedestrian) 

e Property Area 

e Door (pedestrian) 

e Building interior 

e Door (Control Room) 

e Task (Destroy Control Room equipment with explosives) 





316 PART TWO 
Path Detection Delay 
Element 
Vehicle No features Normally 
Gate locked 
Wrought iron 
gate 
T Fence No features 5 ft. wrought 
Р» iron 
a 
Pedestrian|No features Always open 
Gate 


Е Area: Transit distance: 100 ft. 





Vehicle No features Metal roll up 
Door door 
Locked off 
hours 
Surface Personnel Reinforced 
5 during block 
5 working hours (walls 
Pedestrian | Receptionist Tempered 
Door during working |glass door 
hours Key locked off 
Door alarmed |Һоигѕ 
off hours 
Е Area: Transit distance: 50 ft. 
Surface Control room Framed 
ù [control |manned 24/7  |sheetrock walls 
5 room) 
Door Badge reader Hollow-core 


Door switch 
alarm 
Control room 





personnel 24/7 


metal door 
Electromag- 
netic strike 


lock 








Selected Path 
Element 


Pedestrian Gate 


Property Area 


Pedestrian Door 


Building Interior 


Control Room 
Door 


Physical System Effectiveness Worksheets 317 


Path Detection Delay Selected Path 
he Element 


| Ата: Transit distance: 5 ft. Control Room 


Task Control room _ |No delay Task 
manned 24/7  |features 


Instructions 





1. Estimate detection and delay levels for the pedestrian gate: 
a. Detection, Figure C-1 
b. Delay, Figure C-2 


2. Estimate traversal time for the Property Area, Figure C-3 
3. Estimate detection and delay levels for the Building Pedes- 
trian Door: 


a. Detection, Figure C-4 
b. Delay, Figure C-5 


4. Estimate traversal time for the Building Interior Area, 
Figure C-6. 

5. Estimate detection and delay levels for the Control Room 
Door: 


a. Detection, Figure C-7 
b. Delay, Figure C-8 


6. Estimate traversal time for the Control Room Area, Figure 
С-9. 
7. Estimate detection and delay levels for the Task: 


a. Detection, Figure C-10 
b. Delay, Figure C-11 


318 


PART TWO 


8. Complete Figure C-12: 


a. 


b. 
с. 
d. 


Identify the first Medium Detection: Pedestrian Door. 
Accumulate Delay time after the Pedestrian Door: 28.5 s. 
Compare accumulated delay time to response force time. 
Accumulated delay time is shorter than the response 
time, hence, system effectiveness is judged to be Low. 


319 


'55оџолпзаца иоцоәәа 297D иещѕәрәа Зиңешцѕ9 pD ANS 








9 "ето шпщщи 
- ѕѕәџәлдоәуэ мопоајед зуб 





5 ую шпшхгүү 





Шә]5Л$ Чодоәәп чојепди 





иоцоәјәд 10) рә] |әйиоз1әд 





2.0 Шпшхеу 





чопоајед риедедиоо 





Jonuog 900ү 


м еч |ео [ке о [о | 


























(2 "140 шпшревуј) АНУЙИП 
NOILOS130 HOS GSN TANNOSH3d 





HA 





H 





[0де@ шорце1 10 AjujsIA ш әйоә@ 10} W 





9000 10] 7 





чођелло5а О |езеџе у 





HA 





чоого pue Ayiqedeo 
з5ејпр цум иовлед рајеорар 10} H 





405198 рејеорер 10} W 











‘UOU 10} 7 








паде 





150d Је |еиџо:је 4 Ашпове 








cee 









































АНУЙИП$ МОШОЗІЗА UORDEIEC 40} POSH) [SUUOSIOg 
(о "а 'узошп 
Авулипз мошоалза амувун мод 
HA 
woisvuedns 
виј|иодеоипшшог ешј рие иоцеори ледшв) 405 H Бачу то ташт 
001591001901; 7 АНҰЛИП5 1ОНІМОО 85309У 
ИШ шеу јо подеэыпшшоо рорішзцед 5 uee 
НА әлорәд |емџоглед 10 елемрлец бицевјер 
(о ‘а ‘ую шп ) 1199 зо ешлојдор дәш 10) Н. ка шоој [одиоо о} шее 30 ио!ѕѕ!шѕиед 


AYVINWNS NOILOSL3G NOISNY.LNI 





зоешлојдер рокер о) үү 





рәршѕиед 5! шуеүе 
aiojaq jauuosied 10 aremprey Buneajep 
Ка шоо; |одиоз ој шшеје Jo uoIssISsUeN 
бщззебАд ло биџевјер шојј 
Aresieape sjuaneid шәјәќѕ ANIOS 10} HA 


109Ш59552 0010) 1 





BulssedAq зо бицеејәр шоц 
Алевјелре чуелоја шејеле Аџпове лој НА 








quewissessy 
9'S ‘p ‘e ‘ZL 30 winuyxey 


H 








HA 


W 








rp So OH 


0010910190020) 1 











H 


40943 AISIMI 10} W 


шеу 00 иодеоипшшог 











ү 


цой 10) 1 


HA 











иоцоәцо ои 40} 7 


(оор гјоцел у) цолвә$ әюцәд 


АїОО о уйәшКодәр дәш 10} H 











шеу 0 иопеоіипшшоо 


HA 


шәшлоәр рәдеәр 20; И 





YOSUS SMOIOBI TO} H 


JUSUISSESSE OU JO} 7 













































































0010989010010) 1 


— HA 30949 KOSINI 104 W 1ЧәшШ55ә5зү 
ALOD 10 зџешлојдер Лешћ јој Н 9000203 1 EZ по шполхој — АНУЙЙПӨ СЇ 
уџештојдер релејер зо} уү цогес 1900051941 WEIR (ae ueos Teuna! Knewoab 
juƏLUSSƏSSE OU 10} HA 
" TUEN урецо зполоби JO} H риец) џопеоцдивр! одешона јој НЛ 
т 49849 A1OSIN 10} W Nid чим үепиәрәлә о} Н 
Е 72 '1 0 шпшхву] — AUVWWNS SHOSNAS 900020} 1 Әрәло лоу 
HA Чоә$ шә 9100203 7 
рө 90818 10} H HA ИШ 307 paremoy al 
UENS PUL 'UONEIQIA “IM-INE} JO} W чоңоөйзш Хе›-Х рїериез 10) Н Миа рче (ә `цеов үешдәл1 'ХдәшоәБ 
игедз рџе 'џопезал 'елм-пеј әцоц 10) 71 А 






































Physical System Effectiveness Worksheets 





































































































| | Јо5џеб ејео) 
HA uopoedaul Rexx үеиәрәлә 10} үү 
цорм поо 10} W н = зрео а! 
900010) 1 то0619р 001031 НА 
ШЕ JOYUOW UONISOd Bye5) 1098180 Гоу теџџовјоа Ха ом ибогол 10 'подеоциол 
HA. HA зәдшпи є *оәцо шоу иоцегџоцщпе 
5105095 9190170 10} Н модпеџ |ешец о оде 02 ел 10у Н ‘aye|d asuaci/eluBisul Jo yoyo [епвл 10} H 
лозцәз ә|Бш5 10} үү А W 
эшо 10] 7 амо 10] 1 Suou 10} 7 
51О05ЧӘ$ ШО5ПДИ] 10109190 ЅӘЛІЅ010Х9 (оор аріцәл у) хоәцо подедпоцпу әојцәл 
W шәзЛ$ цоцдәуәп ио$пди| ү чоцоәәд риедедиоо 1 10диоо 55900ү 





(чбіц Аләл = НЛ “Чбіц = Н ‘шпірәш = у ‘мој = 7) 


иоцэәјәа – 31үә 
әео иегдѕәрәа 











320 


PART TWO 


Pedestrian Gate 




























































































GATE – Рејау 
Barriers Delay(s)] ‘Security Personnel (if applicable) Delay (s)] DELAY SUMMARY __ [Delay (s) 
A | Gate 5. 10 D | Security Personnel atPost 0 1 [Gate (A) 10 
8 ft chain link 10 Noprotection against smallarmsfire 0 2 | Locks (B) 0 
8 ft. chain linkwith outriggers 10 Protectionagainst small armsfire 60 3 | Minimum of and 2 0 
8 — 12 ft. chain link with outriggers 10 E | Security Personnel onPatrol 0 4 | Vehicle barrier (if applicable) (C) 0 
>12 ft. chain link with outriggers 10 Personnel on patrol 0 5 | Delay from Security Personnel (F) 0 
B | Locks 0 Personnel in tower infinite 6 | GATE Delay Time - Sum of 3, 4, and 5 10 
Padlock 16 F | Security Personnel Delay Time (sum of D and E) о 
Electromagnetic strike 30 
Keyed cylinder 30 
High security padlock 60 
Mechanically or electrically coded 60 
Combination 180 
Inaccessible infinite 
C | Vehicle Barrier 0 
Aircraft cable 30 
Concrete blocks 30 
Guard rail 120 
Steel posts 120 
Concrete median 180 
Concrete median and ditch 400 
Crash | beam 180 
Trainbarrier 180 
Bollard 120 
Hydraulic wedge 180 





Figure C.2 Estimating Pedestrian Gate Delay Time. 


Property Area 


Worksheet: Area Traversal Time 
































Di Delay Time (s) 
Mode 20а алса Rate (Distance 

in Feet divided by rate) 
Walking 7 ft/s 
Running 100 15 ft/s 7 
Crawling 4 ft/s 
Climbing (up or down) 1 ft/s 
Driving (pick up) 54 ft/s 





Figure C.3 Estimating Property Area Traversal Time. 








321 


'55оџолпза а иоцоәјәа ооа иеіщѕәрәа Зицешцѕ9 р2опан 























































































































































































































































































































Physical System Effectiveness Worksheets 



















































































(2 110 шпшхеџ) АНУЛМП5 
9 ‘Е јо шпшіцу моцозіза ноз азѕп 13ммоѕнза 
- ѕѕәиәлцоәуэ иопоәјәа нооа | 2 одеа шорџеј 10 Кишом и! ејдооа зој у! 
5 у јо шпшхеј | 9 ‘BUOU IO} 7 
washg иоцоәәп чцо!зпдц| | 6 Es чоцеләвчо 1819089 
порэајап-юјревјеиовва | 7, руе Ауџаедео звелпр цим џолед рејеојрер 405 H 
21 шпшхеу [| € uosied payeoipep 10) 
иоцоәјәд риедедиоо | 2 900020) 1 
1одиоо 55ә20ү | 4 oI (ејаеоцаде у) 1504 је jeUUOSIEg Ayundeg, 
УМ ЈНА | н ји | 7 Анушип5 моц оаза УМјнА | н ји л иоцэәјәа 10; рәѕп јеџиозлед! 
(о “я “у јо шшщ) 
АНУЛИП МОЈ ЭоЗІЗа амуаунімоэ 
HA 
ЧОГБТЛТӘйТТ& ӨШ 
үодеошпшшоә әш рие иоцеори adure} 10} H 
И 
001010190020; 1 
ЕЕ шегу }о иодедіипшшоо | 2 
HA 
л109 10 шөшлојдәр Дәшц 20у Н = 
їиәш/одәр рәләр 10у үү (о в “у зо шпшішц) 
USWSSESSE OU 10} 7 AYVININNS TOHLNOD SSAD9V 
quaussessy | g HA 
9664 10 ШпшХВИ у дәйпз әш подеотипилиоо 
НА әшү рие иореори ледше) Н 
УрӘцо 50105120) Н И 
(0 ‘a ‘y 40 шпшіщур) 349849 AIOSINO 10} үү чодәдәол@ ои 10) 71 
АНУЛИАПЅ МОШОЗІЗАа NOISNYLNI 900020 1 = шегу Jo UONBO|UNUIUOD 
HA i (боор әюцәл и) ЦЧолгә$ әюцәд | 9 HA 
TORSIAISGNS Sul] UOWCOTUNUNIOS НА о пио бер пеш н 
Pue uoneoipul sedwey 40} H жоәцә зполоби 10} Н тиәшКодәр рәйеәр 10; W 
рәқејәр оу 49849 AIOSINO 10} үү 10959552 0010) 1 
01091020 00 юу 7 ‘euoU 40} 7 quoussessy | @ 
шеу јо ага Е] ei цолеоб јеџиозлеа | 5 | | теру шахей АНУЙЙПЗ ПГ Y 
LOD 10 тиәш/ойбәр Дәш 10у Н "pais вполоби а М8 рие Гэә 'цеэв үеиә! 'ХдәшоәБ 
quawAojdep pakejap 10} W yoous ‘KiOsIno 10} W puey) uo! шәр эщәшо 20; НЛ 
woulssesse OU 10} 7 900020) 7 ма чим тедиәрәло то} Н 
шешазовү а = ЧолеәЅ шау | ӯ fenuepesd 104 W 
н а НА 9000 10] 7 
2 "1 10 шпшхвуј ~ АНУМИП5 SHOSIES у ToRsSASH ABI-K Prepa TOH = 07] parenioy CI 
зедћ) 105џ95 ојдупш 20у Н W Ма рие (одә 'ueos peunos 'Лдешовб 
веш риб 10 9јеела 55216 попела ој у уодоөфБи! оц 10) 1 ривц) иодеоуцивр! оддешоју лој НА 
де) Бодопрооо 20 UOU 10} T | | чоћоодви! Хеј“ | Е М Чум јећџарало 10} H 
товџев попедеџед 2000 | € HA тепџарео 1ој у] 
HA 10}8}6p PIEPURIS 10} H 8000 101 7 
чада опообеш раоџејеа 10) H ГЛ X40 GI 
TOMS UoNISod 10} W 9158180 90720]1 С а! 
900012037 | зореје PPN | Z ТӨЧПОЗТӘй ла ПОЧбОЭӘТ 10 "ПОЦЕОДТӘЛ, 
зоџиоу повод 1000 | Z HA зедшпи [еә зјовцо шшој џопегџоцуле 
HA чодпәи үешәщ 10 иоцәәйоэ 1одел 10) Н “әүеүй әзиәоцуеибви јо уовцо PENSIA 104 H 
5лозцәз өїйїпш 10} Н н 
939 1059 це 2А әцои юу 1 auou 4 
BUOU 10} T 
srosueg uoisnnul | 1 1орәәп зәлмвойха | 1 {тоор әрәцәл д) NOBUO UOREZHOUINY SOUSA 
шә]5/$ иопәгәа иозпди HA | H | W чоцоәјәд риедедиоо УМ нім 1 1одиод 55909у 



















































УМ 

(убицу Алал = Нл ‘Чбіц = Н ‘штрәш = д ‘мој = 7) 
иоцэәјәа - нооа 

лоод ивијзорга бшрупа 











322 PART TWO 


Building Pedestrian Door 
DOOR - Delay 



























































Barriers Security Personnel (if applicable) Delay (s) DELAY SUMMARY Delay (8) 
A| Door 5. 30 | | |C [Security Personnel at Post 0 T | Door (A) 30 
Wood 10 No protection against small arms fire O 2 | Locks (B) 30 
Hollow core 10 Protection against small arms fire 60 3 | Minimum of 1 and 2 30 
Wiremesh 30 D| Security Personnel on Patrol 0 4 | Delay from SecurityPersonnel (E) 0 
Tempered glass x30 Personnel on patrol 0 5 | DOOR Delay Time – Sumof 3, and4| 30 
Security glass 120 Personnel in tower infinite 
Steel plate 120 E | Security Personnel Delay Time 0 
B| Locks 30 (sum of C and D) 
Padlock 15 
Electromagnetic Strike 30 
Keyed cylinder X30 
Mechanically or electrically coded 60 
Combination 180 
Inaccessible infinite 


























Figure C.5 Estimating Pedestrian Door Delay Time. 


Building Interior Area 


Worksheet: Area Traversal Time 




















Distance Delay Time (s) 
Mode | Rate (Distance divided by 
in Feet rate) 
Walking 7 ft/s 
Running 50 15 ft/s 3.5 
Crawling 4 ft/s 
Climbing (up or down) 1 ft/s 
Driving (pick up) 54 ft/s 

















Figure C.6 Estimating Building Interior Traversal Time. 


323 


'55оџолпзаца иоцоәәа ооа WOO% јодиоо Зипешцеа 25 9лп8Н 








(с "1 зо шпштеуј) АНУМЛП5 
мошозіза ноз азѕп 1эмчоѕыза 





одеа шорџез 10 Лишом ш әјіоәа 104 W 





910010} 7 





чоуел!ә5дО 1е19090у 











001991010 
дедд взелпр шим иовләй рәүгорәр 10} Н 








човләй рајеојрар 10) W 











2000 10] 7 





jajo eolon 


(его у) 1504] Је шиозләд Ашпдә$ 

















иођзејед 1ој рез |еииозјеа! 








(о 'я 'у уо шпшшщ) 
AYYWWNS NOILO3L3A ANYAYYLNO9 


9 Ею шшщ] [| 
- ззеџелцовуа иодоајед носа 
97р о шпщхед 
шә]5Ас иопцогуәп иовпди ке 
чопооәп 20у роп 9шш08194 ОТ 
о шпшхтуү 
чоцдеәп риедедио2 
ТОДЧОО 58$ӘООу 
ни 1 АЧУЙИПЅ МОІ19313а КЛИП m 





HA 





чоүлтөбп әш 
| рџе џодеојри әйше} лој Н 








Ww 





11019910110011011 





шеу јо иопеошпшшоо | 2 





HA 





ЛОО ло шәшКодәр Дөш 10) Н 











109Ш59552 0020; 1 





їиәшЛодәр рәйеүәр 10) үү Е 


(о а “узо штшш) 































































































































































































Physical System Effectiveness Worksheets 


























































































































= queussessy | a Анулип5 тон мод ssa00¥ 
95:65 о шпшеј | У чојушедп5 ва џодеојипшкиоо 
HA 
жоөцә зполоБи 10) Н 
(о 'а уо шпшщу) yoayo Ai0sino 40) W 
E AHYWWNS NOILO3LIQ NOISNHLNI 90001037 = т ИНЕ 
HA Goop әјоіцәл у) цогеәЅ әјоцәл |9 10 џорео НА 
чоулгәйпв әш 0одеоотшшоо HA ee 
әш рив иодеори әдше} јој Н жоодо впозоби то Н ІО % уйәшЛодәр әш 10} H 
|рәЛеәр 1оу үү 49849 AIOSINO 10} W зиәшКо{йәр рәләр 10) үү 
91021 002037 900020) 7 1090559552 0010] 1 
|| ушеу о иоңеошпшшог || цолеоб |еџџовјеа | 5 queussessy | g 
HA HA EZ "4 ю шпщіхед – АНУЛИПЅА | У 
А1ОО 10 тоештојбар ASW 10} H зец SNOIOBU FO} H Ма рие (оде 'иеоѕ eune "Anewoeb 
зиөш/одәр рә/еәр 10 үү 49840 AIOSINO 10} W рицец) иоцеошиәр одешоја јој НЛ. 
3џәшѕ5ә558 00 10] 1 ЕТШЕ ЛЫ Nid UUM гећџерело 104 H 
a шәшзөззвү = yoreas Woy |b тециәрә1о 10} W 
‹ Е HA 900010) 1 
|2 "1 10 шпшхеу – АНУМИЛ5. SWOSNaS чопоөйзи Хех рїерие]510) Н = от Реала а 
W о т 
зә 1055 әйүпш 10] Н Nid pue (‘939 ‘ueos jeunal ‘Anjewoeb: 
веш рџб Јо зала 55916 "џопезау Јој юс ie рцец) иоцедшиәр эщәшод 10} НЛ. 
әйе Биоприбо 10 әшои 10} 1 = uoppedsuj Aerx | Є Ма im еййәрә 10} Н 
| | Josues џопелеџед 1000 HA цәрәлә 10} үү 
HA 9088) PEDIES 7 Б 
Чора оңәцбеш рәоиүед 10} Н E 
Чой џогзоа тој W завера | |] Ж ue a 
9000 10} 7 = ASG EW |e Jeuuosied Aq uomuBooe 10 ‘UoRBOyUEA 
E ойо оре 1000 HA ледшпи үешәз 'уоәцә шоу иоценоцпе 
егей уишн Ж одопоо з08ел 10} H “өте өзигоцуе!ибуви! д0 хөц [ENSIA 10} H 
W 
W 
5000 тој 7 шои 0/1 50002037 
3108095 мојеплот 20рәјәд ѕәлѕохэ | F тоор өюцәл д) о9о VOREZHONY PUSA 
ил шајзла иоџогјо у иојзпаиј ни чоцоәјәа риедедиоо wN [HA] H |W | 7 10u09 sse00y 





(чбіч Лләл = HA ‘Чбіц = Н 'штреш = у ‘ој = 7) 


чоцэәјәа – ооа 
лоод шоон |одиој 




















PART TWO 


324 


‘әш Кејәа ооа WoOoY үодиогу Sugewgs3 8 angi 













































































uuu! Əjqıssəveu] 
081 иоцешашоо 
09 _рароо Ајеодоаје 10 Лјеошецовуј 
oe зерш о релом 
ое Х еуш5 одеибешодовја 
SL зројреа 
| (а рце 2 4° wns) 0Є 53001 
о әш! Авјед јеџиозлед Ауџпоеб Ozh 21214 19915 
о у рче *є о шп — әш Лајеа нооа | S | Јама едай ог! зоб Auunoos 
одеа ио јәииоѕәа oe ssej6 реједше | 
4 п (a) jeuuosied 5 ee jac fed Z [0 іодеа ио јеџџовзед Мипооб. ов Чвәш әлл\ 
— 09 Ə sw |јеш5 15штебе иоцдәолд OLX әоо моон 
oe (g) syoo7 | Z | 0214 suue jews suree џопоајолд ом OL poom 
OL (у) ооа | E [о 1504 19 |еџџоглед Липооб: OF `5 "51000 
(S) Aerar AYYWWNS АУТА (5) Лејеа| __(ејдеоцаде у) јеииовлеа Хизпогб 5) Кајо ззәшея 























Кејза – нооа 


ооа шоон іодиод 











Physical System Effectiveness Worksheets 325 


Control Room Area 


Worksheet: Area Traversal Time 





Delay Time (s) 





























Dist 
Mode ЕЕ Rate (Distance Divided by 
Rate) 
Walking 5 7 ft/s 0 
Running 15 ft/s 
Crawling 4 ft/s 
Climbing (up or down) 1 ft/s 
Driving (pick up) 54 ft/s 





Figure C.9 Estimating Control Room Area Traversal Time. 


PART TWO 


326 


:ѕәџиәлцоәуа иоцэәјәа sel SulyewsSy OLD nS 








£ ‘2 ‘10 шпшхеуу 

— ѕѕәџәлцоәуЭ иодоәјәа иЅү1 
џопогјед 101 резп 190005194 | Є 
шәјѕ/Ѕ иоцоәјәа иоѕпдц | е 
10диод 920ү | 1 









































WN/HA| H/ Wi 7 АНУЙИП$ МО!1231За 
(о “а “узо шшш) 
AYYWNNS NOILOZLIQ NOISNHLNI 





рәшш»ицрд 8! шеје 

әлојәд |әчиоѕ1әй зо әлемрец бидеәјәр 
Ка шоо јодиоо о} шере јо ио!ѕ1шѕиед 
биѕѕеа/а зо бицеәјәр шоу 

Алезлелре зјидлела шејзл5 Мипог5 10] НЛ 























H 
л 
џоповјоја оџ 104 7 
ЈЕ шегу јо иореоіипшшоо | 2 
HA Ш (о “а “у уо штшшщ) 
ALOD 10 иәшКоүдәр Дуәшц 10} Н AYYWWNS 0YLNO9 SSJ99V 








рәрішѕиед ѕ! шее 

глојед |еиџовјед ло елемрлец бицеәјәр 
Ка шоо; јодиоо оу шер јо и 
биѕѕеада ло бицеәјәр шо 


зчәш^одәр рә/ејәр 10} W 
109Ш85955Р 00 10) 1 
шәшѕѕәѕѕү | 9 














































































































































































































p pue Aresiaape 5уиәләлй шә]}5Л5 Аџпов5 јој НЛ. 
‘E ‘Z ‘L 40 WNnwXeN - AYYNNWNS SHOSNIAS | М H 
HA W 
5108цә$ әүйүпш 10} НҢ иоћовјола ои 10) 71 
чзәш риб рце цоңелал 10} үү Г] шегу уо иоредшпшшоо | 9 
эде бицоприоо 10 əuou 104 7 HA 
ЈЕ] 20ѕиәЅ иопедеџед еоеупо | р 199 10 зшешлојдер леш Јој Н 
HA juawAojdap paAejap 10) W 
sedf} Josuas ejdiyjnwi 03 Н 1ЧӘШЅ5Ә55 ОН 104 1 
цѕәш риб го ‘еә ѕѕәб ‘иодезаіл 20) ү] yuəwussəssy g 
ede} Buonpuos 40 udu 10, арие | јо шпшіхеуі -АНУИИПЅ а у 
3 биопр' +7 
| (ёрие | јо шпшхеуў) АНММИП5 = 10595 чопедеџеа 1008 | Е НА 
NOILO3L3G HO4 GASN TSNNOSY3d HA шее цим\ UOREAIASGO Payeoipep 40} H 
| HA Чарм опәџбеш рәоиеед 20 Н цоделзеецо реце аг га ү 
од i 
| одеа шориет зо шол ш әјаоәа 20у уу а шім 20 еәе щ еоџевала 10 гџои JO} 7 
euou 194 1 | | gins uosied om, 
| чоңел1ә5до [еәцәю | @ Кай z ' НА HŽ 
| рӘ5$5ӘООЕ 5! ПОЦеОО| 
| гео рив доза: зювиеѕ Атиәшәйшоо өїйпш 10) Н ешћ цове џодеоуџел иопегџоцупе 10у Н 
| __џогјед рајеорер Јој Josuas әбшщз 10} W подетиощпе уо иоцеләздо үеләцәб 10) үү 
| 900010) 1 910020} 7 эшой 10/1 
| ШИЕ (ејавоцаде д) у5од уе үәциоздәд Дшпдәс | | || 5105005. џојопДиј лоџађу | | | iz урец5 чоцегоцупу 55802 |еиџозед | | 
чоцоәјәа 10; рәѕп Іәииоѕләа WN|HA;H|W/ 7 шәјѕ/$ иоцоәЈәд VOUI VYN|HA| H |W lonuog sseooy 


























(чбіц Алал = HA ‘ysy = н 'штреш = у "мој = 7) 
иоцоәјәа – ЯЅУ1 





јиошатра шоон јодио лод5за 








327 


Physical System Effectiveness Worksheets 


'ош Кејәа jse Sugewnsa 


LLD ANS 








о} 


9 рие “с ‘у јо шпЅ – әш ejod YSYL 





(8) јечиозлед Ашпооб шоу Хејед 





(а) ошу зе] јеблеј 








€ pue Z pue | JO шпшшуј 


(4) aw Aejaq jauuosiag Ayundag, 








(0) воврпо елпзојоиз јебле] 





(а) 1000 елпзојои 3 јебле | 


09 
0 


елу зше |јеше јошебе џоповјоја 
әу ѕше |јешѕ ұѕшебе иоповјолд ом 











ојојојо| 5 |о 


(у) жол әлтзоуоиз }әбле ү 


= |сч|оо|что о 


150d е jeuuosiag Ayinoasg | Э 














(5) Хејед 





AYVININNS AVIS 














0 
(s) Aerea 














(егаеонаде у) јеџиозлеа Ápunəəs 












































SIX 

SL ош] узе] јеблеј 
09 Bunesb `u! 2 Ка ш 91/Є 
09 Бипезб ш #22 Ла сш г 
00Є ysaw “bs 41 Ла ‘Ш 8/Є 
09 узеш ‘bs у | Aq sayoweip “ul % 
гр гејәш ебпеб 91. 
oe узеш рерџедке әбпеб 6 
06 роомлја рие рпја роом, 
oe ҳоодәәц рие рпіѕ роол\ 
09 55216 aes 
09 ѕѕејб рәјешше7 
09 оцѕеја әјеиодгеоќјоа 
$ 85206 реледше | 
og ased qoy 

0 әоеупѕ әлпѕојоиэ 19612] 
06 55916 Hayes 
5 55816 раједше | 
сі 
ZL 01d ебицу/моој оџ 'ејеш глоо мојон 
ог чзәш әлм әбпеб 6 
21 роом 

0 1000] әлзоудиз јебле | 
ТП ЕТТЕ ЕР 
ог! рероо Мјеошодје ло Ајеошецовуј 
ozt иоцещашод 
Gv зәршіќә рәқәу 
09 »ројред Липова убин 
Ov »оојреа 

0 "5 207 әлпѕојоиэ јәбле 

(s) Kerad] вәшеа 











Кејед – ASYL 





јиошапба шоон јолио5 Лолј5од 











328 


PART TWO 


Estimate Physical Protection System Effectiveness 





Path Elements for Most- 
Vulnerable Scenario 


Detection Level 


Delay Time (Seconds) 


























Gate (pedestrian) Low 0 
Ргорепу Агеа 7 
Door (pedestrian) Medium 30 
Building Interior Area 3.5 
Door (pedestrian) Medium 10 
Control Room Area 0 
Task at Target Medium 15 


Delay Time After Detection 


A: 28.5 seconds 





Response Time 


B: 300 seconds 





Estimated System Effectiveness Level 
A < B, System Effectiveness = Low 
A ~ B, System Effectiveness = Medium 
A > B, System Effectiveness = High 





System Effectiveness: 
Low 





Figure C.12 Estimating Physical Protection System Effectiveness. 





Appendix D 


Insider Threat 


INTRODUCTION 


The greatest challenge to any security system is protecting against 
the insider threat. Relative security risk is usually judged to be 
at the High level for the insider because most protection systems 
are ineffective in preventing an insider from causing the highest 
consequences if they decide to become an adversary. The insider 
may have authorized access to the building, sensitive information, 
the information system, and other critical assets. Historically, sys- 
tematic approaches to address outsider threats have proven to be 
valuable in developing effective protection systems and for iden- 
tifying vulnerabilities. An analogous systematic approach must 
be used to develop an effective protection system for the insider 
threat and to identify vulnerabilities or gaps in protection. Protec- 
tion measures for the insider threat may be limited by legal and 
political issues. High regard must be maintained for adhering to 
laws that protect personnel privacy and for corporations earning 
and maintaining the trust of their employees. Security risk will not 
be estimated here for the insider threat, but instead, the design of 
an integrated protection system to mitigate the insider threat will 
be discussed. 


Security Risk Assessment and Management: A Professional Practice Guide for Protecting Buildings and Infrastructures 
B. E. Biringer, R. V. Matalucci and S. L. O’Connor © 2007 John Wiley & Sons, Inc. ISBN: 978-0-471-79352-6 


329 


330 PART TWO 


INTEGRATED PROTECTION SYSTEM FOR THE 
INSIDER THREAT 


What is needed is a security system to mitigate the insider threat 
that addresses the insider before the employee decides to become 
an adversary or during the “pre-recruitment” by a malevolent 
group. Further, the security system must integrate protection 
functions like personnel security, physical security, cyber-security, 
and operations security in order to provide protection in depth. Best 
practices for each protection function cannot just be pieced together 
with the expectation that the insider threat has been mitigated. 
A systematic approach is needed to design a performance-based 
security system to mitigate the insider threat for both intelligence 
and terrorism concerns. Figure D-1 outlines an approach to develop 
an integrated protection system to mitigate the insider threat. 
The approach builds on five basic steps: 


1. Derive undesired events for the insider threat. 
2. Analyze the insider threat. 




















Derive Analyze 
Undesired Insider 
Events Threat 





Integrate Protection 
Features to Mitigate 
Undesired Events 

У 


Identify 
Gaps in 
Protection 
У 




















Upgrade 
System if 
Necessary 











Figure D.1 Process to 
Develop an Integrated 
Protection System to 
Mitigate the Insider 
Threat. 


Insider Threat 331 


3. Identify protection features to mitigate undesired events. 
4. Identify gaps in protection. 
5. Upgrade the protection system, if necessary. 


UNDESIRED EVENTS 


An initial step in the process is to list all of the possible site-specific 
undesired events for the insider threat spectrum. These undesired 
events may include causing loss of mission with the same unde- 
sired events that were analyzed for the outsider threat or there 
may be undesired events particular to the insider threat. Unde- 
sired events are those events that you do not want to happen or the 
undesired events that the protection system should prevent the 
insider from accomplishing. Examples of undesired events include 
collaboration with a competitor corporation to compromise propri- 
etary information or recruitment or collusion with an international 
terrorist group, sabotage of critical assets, or workplace violence. 
Lists of undesired events will vary depending on the mission of the 
facility. Undesired events can be ranked or prioritized based on 
relative consequences. 

Each undesired event should be analyzed to determine all of 
the steps required for the insider to carry out the undesired event, 
including the recruitment phase or decision to undertake the event, 
and the actual steps required to successfully complete the event. 
As was discussed in a previous chapter, a logic tree provides a 
graphical means to develop the root causes of an undesired event. 
Development of the tree can be continued to derive all of the means 
that the insider adversary could use to cause each undesired 
event. The symbol that appears below the event’s name is used to 
designate either how that event is logically related to other events 
or how well the causes of the event are known. A reminder is that 
there are two kinds of logic gates, the AND gate and the OR gate, 
used in logic diagrams. The shape of the AND gate is a round arch 
with a flat bottom. For the event described above the AND gate to 


332 PART TWO 





Insider Colludes with 
Outside Group to Steal 
Sensitive Information 


(\ AND 


























Insider is Insider Gains or Insider Removes Insider Passes 

Recruited Has Access to Sensitive Sensitive 

by Outside Sensitive Information from Information to 
Group Information Site* Outside Group 


























A A A A 


*Note that insider adversary scenarios for theft can be assessed by ASD and path-methods 
described in Chapter 7, "System Effectiveness." 


Figure D.2 Basic Logic Tree for Example Undesired Event. 


occur, all of the events that have an input into the AND gate must 
occur. Thus, if any one of the input events can be prevented, the 
event described above the AND gate will be prevented. The shape 
of the OR gate is a pointed arch with a curved bottom. For the event 
described above the OR gate to occur, any one (or more) of the events 
that input to the OR gate must occur. All of the input events must 
be prevented in order to prevent the event described above the OR 
gate. The transfer operation is represented by an upright triangle. 
The transfer operation is used to make the graphic display of the 
logic tree more compact and readable because it allows the tree 
to “continue” on another page. Figure D-2 provides an example of 
first-level development for an example undesired event. Note that 
because all four of the events are required for the top event (the 
undesired event) to occur, prevention of any one of the four events 
causes the insider to fail to collude with the outside group to steal 
information. The process provides a logical, systematic way to use 
resources effectively. The tree could be developed further in order 
to derive all of the ways or the scenarios that the insider adversary 
could use to cause the specific undesired event. Figure D-3 further 
develops the event “Insider Gains Access to Sensitive Information” 
represented by the #2 Transfer Symbol. 


Insider Threat 








Insider Gains Access 
to Sensitive 
2 Information 











in 











Insider is 
Authorized 
to Access 











O 














Insider Is Not 
Authorized to 
Access 








Insider Defeats Insider Defeats 
or Bypasses or Bypasses 
Authorization Detection (by 
Check (by people or 
people or hardware) 


СА 





Insider Defeats 


or Bypasses 
any Barriers 
(locks, doors, 
walls, vaults) 





hardware) С) 


О 


Figure D.3 Development of Branch of Tree. 


ANALYZE THE INSIDER THREAT 





333 


Insider Gets 
Hands-On 
Access to 


Information 


A description of the insider threat spectrum must be completed in 


order to design or evaluate an appropriate protection system. It is 
difficult to know how much protection is adequate without some 
judgment about the level, access, and sophistication of the threat 
that the system must protect against. An insider is defined as any- 
one with knowledge of the operation, sensitive information, and/or 


the security systems and who has unescorted access to facilities 
or security interests. A full-range insider threat spectrum would 
include these categories: 


e Provides information only 


Passive insider — commits no overt acts 


Active insider — participates actively 


e Nonviolent (unwilling to use force against personnel) 


e Violent (active, violent participation — willing to use force 


against personnel) 


334 PART TWO 


The active, violent insider is a very difficult adversary to protect 
against. More than one insider is possible, but emphasis is placed 
on addressing the single insider, the most probable insider threat. 

The motivations for the insider threat can be the same as those 
for the outsider threat. Motivation is an important indicator for 
both the level of malevolence and the likelihood of insider attack. 
Motivations might include: 


e Ideological — A fanatical conviction. 

e Financial — Wants or needs money. 

e Revenge — Disgruntled employee, contractor, customer. 
e Ego — “Look what I can do.” 

e Psychoticunstable but capable. 

e Recruitment or coercionor family or self threatened. 


Insider adversaries have advantageous characteristics that distin- 
guish them from other adversaries: 


e Operational/system knowledge that can be used to their 
advantage 

e Authorized access to the facility, information system, sensi- 
tive information, security systems without raising suspicion 
of others 
— Can conduct test and rehearsals 
— Can test the system with normal “mistakes” 

e Opportunity to choose the best time to commit an act or can 
extend acts over a long period of time 

e Capability to use tools located at work location site 

e Recruitment/collusion with others, either insider or out- 
siders 


All employment positions at a facility should be included in the 
threat analysis. Any employee may pose a potential insider threat, 
even trusted managers and security personnel. Insider positions 
might include management, regular employees, service providers, 


Insider Threat 335 


Table D.1 Example Summary of Insider Capability by Position for a Given 
Undesired Event 


Job Category Knowledge Authority 
Information system administrator Medium 


Security maintenance Medium 


visitors, inspectors, and past employees. Positions at a typical 





building might include: 


e Managers 

e Staff 

e Information system administrators 
e Security personnel 

e Administrative staff 

e Contractors 

e Custodians 

e Maintenance personnel 

Vendors 


e Past employees 
e Visitors 


The product of the Insider Threat Analysis is the identification 
and characterization of potential insider adversaries. The objec- 
tive is to identify general personnel job categories in terms of 
knowledge, access, and authority related to each of the undesired 
events/related critical assets. Efforts should be made to ensure that 
all appropriate personnel assignments are included. The goals are 
to identify what job categories could provide the greatest advantage 
for the insider adversary intending to cause the undesired events 
and to understand the potential capabilities of an insider adver- 
sary. Table D.1 provides an example table used to summarize the 


336 PART TWO 


insider adversary spectrum for a given undesired event. Analysts 
can use the summary tables for undesired events to complete the 
insider assessment. A qualitative High, Medium, or Low judgment 
should be assessed for the level of: knowledge, access to the critical 
asset, and authority afforded by each job category to cause the 
undesired event. 


INSIDER KNOWLEDGE 


The type of insider knowledge that provides a significant advantage 
to the insider adversary includes knowledge of: security/control 
features, work schedules and assignments, locations and charac- 
teristics of critical assets, specific details of facility operations, 
known weaknesses, and gaps in protection. 


INSIDER ACCESS 


Insider access that can be used to cause an undesired event includes 
the usual authorized work access, special temporary access to other 
areas, and the access to other employees as a source of expanded 
information. 


INSIDER AUTHORITY 


Insider authority that the insider adversary can exploit is described 
as management authority over others, personal influence over 
others, the authority to do assigned tasks, and the ability to get 
temporary authority to do any task. 


PROTECTION FEATURES TO MITIGATE THE INSIDER 
THREAT 


After the insider positions have been summarized in terms of 
knowledge, access, and authority afforded to the position to cause 
a given undesired event, the next step is to address the protec- 
tion system features to mitigate the insider threat. The basic 


Insider Threat 337 


functions of an integrated system to mitigate the insider threat 
include: 


e Minimize the potential for hiring an adversary. 
e Deter the on-staff employee from becoming an adversary. 


MINIMIZE POTENTIAL FOR HIRING AN ADVERSARY 


The natural desire is to not hire anyone with a potential of becom- 
ing an insider adversary. Even though there is never a guarantee 
of this situation, pre-employment screening and the deterrence 
provided by individuals knowing that they will be screened pro- 
vides some level of protection. Pre-employment screening could 
include not only a thorough application process but also some level 
of background check. 

The application process should be very straightforward, and the 
fact that a background check is a required part of the application 
process should be very clear. A medical examination and drug 
test should be required. The application form should be extensive 
enough to ensure that it asks for all of the information needed to 
evaluate the applicants. Job opening and application details should 
be posted far enough in advance to allow time for the background 
check to be completed before hiring. 

Background checks can be as extensive as needed, depending on 
the level of consequences that could result from the compromise 
of the facility due to the actions of an insider threat. For some 
facilities, just an application form and an interview would suffice; 
others may use some combination of a search of national criminal 
records, a cursory follow up of the information on the application, 
and a rigorous follow-up of activity of most recent years. The 
follow-up might include interviewing references, investigating the 
candidate’s financial affairs, and interviewing previous employers 
and colleagues. Some level of background check should be repeated 
on a prescribed schedule to provide active continuous monitoring 
of personnel. 


338 PART TWO 


There are various benefits of conducting background checks. 
References may reveal information not provided on the applica- 
tion. Criminal records could provide some history of malevolent 
behavior. Financial history might provide an indication of stability 
as well as potential susceptibility to extortion. A review of work 
history could reveal tendencies to anger, reliability, competence, 
and personal conduct. 


DETER EMPLOYEES FROM BECOMING AN 
ADVERSARY 


Several layers of protection should be implemented to deter the 
existing employees from becoming an insider adversary and to 
prevent the insider adversary from causing the undesired events. 
The desired perception is that any malevolent act will be detected 
and prosecuted. The protection goal for the insider threat is to 
make it “easy to do the right thing, very difficult to do the wrong 
thing.” According to Turner and Gelles in Threat Assessment, A 
Risk Management Approach, one of the most frequently offered 
rationalizations by convicted trusted insiders was that “security 
was lax; tighter security would have been more of a deterrent.” The 
layers of protection to deter the insider adversary might include: 


Security awareness 


e Personnel screening for persons in high-risk positions 
e Minimization of opportunity for malevolent acts 

e Integration of effective security function features 

e Proper response to malevolent acts that do occur 


SECURITY AWARENESS 


Security awareness is a program intended to utilize the non- 
malevolent majority of employees to detect and deter malevolent 
conditions. The program is normally part of a routine frequent 
employee training on operations security. Awareness sensitizes 


Insider Threat 339 


employees to watch for and to report or interfere with potential 
malevolent actions. Security awareness must address and instruct 
for the full spectrum of security functions — personnel, physical, 
cyber-based, information, and so on. 


PERSONNEL SCREENING FOR PERSONS IN 
HIGH-RISK POSITIONS 


A higher level of personnel screening may be required for high- 
risk positions. High-risk positions are those that afford employees 
access to the most sensitive information or critical assets as a part 
of their normal job assignment. The additional screening conducted 
for these persons could include frequent drug screening, physical 
and mental evaluations, law enforcement checks, credit checks, 
and supervisor and coworker observation. Screening of persons in 
high-risk positions must be continuous and timely. 


MINIMIZATION OF OPPORTUNITY FOR 
MALEVOLENT ACTS 


Each facility should identify ways to minimize the opportunities 
for an insider to conduct a malevolent act. A common method 
is to compartmentalize the facility. Compartmentalization can be 
achieved by limiting access to sensitive information or actual assets 
to only those needing it for job duties, further restricting access to 
the assets that could result in a high-consequence undesired event, 
enforcing a multi-person presence in critical areas, and allowing 
for monitoring of activities to detect potential malevolence and to 
identify who is responsible for the act. 


INTEGRATION OF EFFECTIVE SECURITY FUNCTION 
FEATURES 


Protection features from personnel security, physical security, 
cyber-security, and operations security must be integrated to miti- 
gate the insider threat. Usually, these protection features function 


340 PART TWO 


independently and are not integrated toward a common objective, 
but no single one of these functions, acting alone, can answer the 
insider threat. The protection features must function together to 
detect, delay, and appropriately respond to the insider threat. 

Malevolent actions can be detected by administrative controls, 
technology controls, and noting suspicious incidents of noncom- 
pliance with procedures. Administrative controls might include 
multi-person presence, key control, and behavior observation. 
Technology controls might include item or process monitoring, 
information system use, or communication system use (telephone, 
e-mail, FAX). A higher incidence of noncompliance with procedures 
could be “tests” of the protection system or enforcement system. 
It is extremely difficult to detect the insider who is working with 
an outside malevolent group. Historically, spies are not usually 
caught; they are reported by other spies. 

Entry/exit control can be used in physical security to enforce com- 
partmentalization and access. Entry control enforces authorization 
checks with a picture badge inspection, electronic credential, 
personal identification number (PIN), or some biometric check 
like fingerprints, eye-retinal pattern, and the like. Entry control 
schemes might include contraband detection to prevent the intro- 
duction of weapons, explosives, or other tools that could be used in 
a malevolent attack. Exit control is used to detect the unauthorized 
removal of high-value assets. 

Cyber-security measures can be implemented to detect misuse or 
unauthorized activity with information systems. The monitoring 
capabilities of information security could report changes in use 
habits or unusual cyber-activity such as: an increase in accessing 
critical assets or sensitive information, attempts to gain access 
to unauthorized computer sites, extensive communication to web 
sites and/or electronic addresses that are not work related, sending 
and receiving encoded messages, attempts to access the computer 
of coworkers, and so on. 


Insider Threat 341 


The goal of operations security is to prevent sensitive oper- 
ational information from being inadvertently released. Control 
is imposed on handling and disposition of hard-copy, electronic 
media, and any other media containing sensitive or intellectual 
property. The operations security program can be enforced by mon- 
itored procedures and is most effective where security awareness 
is at a high level. An important component of operations secu- 
rity is extensive and continual employee training in site security 
matters. 


PROPER RESPONSE TO MALEVOLENT ACTS 


A precedence of consistent, proper response to malevolent acts 
may deter the insider considering some malevolent act. The per- 
ception among employees should be that malevolent acts will be 
detected in a timely manner, the malevolent task will be difficult 
to accomplish, and there will be consequences (prosecution). The 
response to any malevolent incident should be immediate, the inci- 
dent should be reported, the perpetrator should be interrogated, 
and the punishment commensurate with the act. 


IDENTIFICATION OF GAPS IN PROTECTION 


Once the logic tree for each undesired event has been developed 
as completely as possible, protection features of the existing pro- 
tection system can then be associated with the basic events or 
“bottommost” events of the tree. Logically, if these basic events can 
be prevented from occurring, the topmost event or the undesired 
event can be prevented from occurring. Protection features for 
these basic events can be features from personnel security, physi- 
cal security, cyber-security, and operations security. The common 
objective supported by a logic tree is that the goal is to prevent the 
undesired event. For each basic event, protection features from any 
or all of the functions should be integrated with each other to pre- 
vent the undesired event from occurring. Figure D-4 provides an 


342 PART TWO 





Insider Gains 


Access to Sensitive 
2 Information 






















































































Insider is Insider is Not 
Authorized Authorized to 

to Access Access 
Background checks 7 7 
High-risk position Insider Defeats Insider Defeats Insider Defeats Insider Gets 
screening or Bypasses or Bypasses or Bypasses Hands-On 
Physical Security: Е á х a на: 
Special А Authorization Detection (by any Barriers Access to 
electronically Check (by people or (locks, doors, Information 
enforced people or hardware) walls, cages) 

hardware) О О () 











No other protection 


ө Physical Security: i features 
y: People present during Locked safe 


Need to know enforced working hours Material/info in 
by Information : personal custody when 
Custodian . Password control not in safe 
у: 
Combination to safe 
controlled 


Figure D.4_ Example of Integration of Protection Function 
Features. 


example of integrated protection features from various protection 
functions that might be expected to prevent the undesired event: 
an insider gaining access to sensitive information. 

After protection features have been associated with the events, 
the next step is to systematically review the features to assess 
their adequacy in ultimately preventing the undesired event. Gaps 
in protection are identified by no features or features judged to be 
inadequate for each event and then for upper events and, finally, 
for the topmost event (undesired event). The first pass through the 
logic tree is to identify the basic events for which the protection 
system provides NO protection, then the analytic team should eval- 
uate the protection system features for the remaining events and 
judge whether or not the features could perform together to prevent 
the undesired event. Note that to prevent items with an OR gate, 
all events pictured below the gate must be prevented since any one 


Insider Threat 343 


of them could cause the event. To prevent items with an AND gate, 
only one of the events pictured below the gate must be prevented, 
since all would be required to cause the undesired event. Normally, 
not one single protection function can adequately protect the event, 
but through integration and coordination the protection functions 
can work together to either prevent the undesired event or make it 
very difficult for the insider to accomplish without being detected. 

Protection vulnerabilities or gaps in protection are identified 
by the lack of protective measures for a given basic event and/or 
for features that are judged to be inadequate for a particular 
basic event that logically leads to the undesired event occurring. 
The identified gaps can occur in one or more of the protection 
functions of operations security, physical security, cyber-security, 
or personnel security. 


UPGRADE THE PROTECTION SYSTEM 


If gaps in protection are identified, the protection system can be 
upgraded by deriving features to be added for the individual events 
that would deter the insider or (logically) prevent the undesired 
event. The process should be continued until all gaps in protection 
are reduced. The systematic approach provides assurance that 
the protection functions are integrated to deter the insider and/or 
prevent the undesired events. Protection features are selected 
for their function in preventing undesired events. The resultant 
protection system is based on the integration of protection systems 
to prevent or mitigate the undesired event. 


SUMMARY 


The insider threat continues to pose the greatest challenge to pro- 
tection systems. A systematic approach supports the design of a 
cost-effective, integrated protection system to mitigate the insider 
threat. A systematic approach ensures that that the protection 
functions perform together to mitigate the undesired events and 


344 PART TWO 


thus make it difficult for the insider to do the wrong thing. It also 
would begin the detection of the insider threat before the “recruit- 
ment by malevolent group” phase. The resultant security system 
to mitigate the insider threat would integrate all of the protection 
functions in order to provide a system that is performance-based, 
rather than compliance-based and to provide protection in depth. 
In addition, the analysis results would be traceable and repeatable. 


REFERENCES 


1. Biringer, Betty, White Paper: Integrated Protection System to 
Mitigate the Insider Threat, Sandia National Laboratories, Albu- 
querque, NM, June 2005. 

2. Chapter 22, “Insider Analysis,” The Nineteenth International 
Training Course for the Physical Protection of Nuclear Facilities 
and Materials, Sandia National Laboratories and the International 
Atomic Energy Agency, April 30 — May 19, 2006, Albuquerque, NM. 

3. Turner, James T., PhD and Gelles, Michael G., PsyD, Threat 
Assessment A Risk Management Approach, The Haworth Press, 
Binghamton, NY, 2003. 


EXERCISES 


1. List possible security-related undesired events for a building that 
an outsider adversary and an insider adversary might have in 
common. What are some undesired events that would apply to the 
insider adversary only? 

2. What are some of the sensitivities and restrictions in protecting 
against the insider threat? 

3. Discuss the three factors for assessing capability associated with 
insider job categories for causing an undesired event? Are they all 
of equal importance? Why or why not? 

4, What are the two basic functions of an integrated protection system 
to mitigate the insider threat? How might each be accomplished? 

5. Why is it so difficult to protect against a possible insider threat? 


АМЕО 
ASD 
ASSESS 


ATF 


BPA 
CBR 
CCTV 
DHS 
EASI 
EOC 
FBI 
FERC 
HVAC 
IFIP 
JCATS 
JTTF 
NSTL 
PPS 
SAVI 
SCADA 
SNL 
STAC 


Acronyms 


Ammonium nitrate and fuel oil 

adversary sequence diagram 

Analytic System and Software for Evaluating 
Safeguards and Security 

United States Treasury Bureau of Alcohol, Tobacco 
and Firearms 

Bonneville Power Administration 
chemical-biological-radiological 

closed-circuit television 

Department of Homeland Security 

Estimate of Adversary Sequence Interruption 
emergency operations center 

Federal Bureau of Investigation 

Federal Energy Regulatory Commission 

heating, ventilation, and air conditioning 
Interagency Forum for Infrastructure Protection 
Joint Combat and Tactical Simulation 

Joint Terrorist Task Force 

National Security Threat List 

physical protection system 

Systematic Assessment of Vulnerability to Intrusion 
supervisory control and data acquisition 

Sandia National Laboratories 

Science-based Threat Analysis and Countermeasures 


Security Risk Assessment and Management: A Professional Practice Guide for Protecting Buildings and Infrastructures 
B. E. Biringer, R. V. Matalucci and S. L. O’Connor © 2007 John Wiley & Sons, Inc. ISBN: 978-0-471-79352-6 


345 


346 


TNT 
TVA 
UPS 
USACE 
USBR 
WAPA 


ACRONYMS 


Tri-nitro toluene 

Tennessee Valley Authority 
uninterrupted power supply 

United States Army Corp of Engineers 
United States Bureau of Reclamation 
Western Area Power Administration 


Glossary 


Adversary strategy — Overall plan used to achieve the adver- 
sary’s objective under advantageous conditions. 

Adversary strategy, most-vulnerable — The adversary strat- 
egy to which the security system is most vulnerable. The 
most-vulnerable strategy is the one most advantageous for the 
adversary to pursue in order to achieve the undesired event. 

Adversary tactic — Employment of available means to prevent a 
system feature from accomplishing its purpose. The feature may 
be part of the security system or a critical asset. 

Consequences — Losses to a facility and the public resulting from 
the defeating of a mission objective. Consequence of loss may be 
measured in dollars, lives lost, or other measures, but should 
be consistent to allow for meaningful comparisons. Some conse- 
quences may be difficult to quantify, such as political damage or 
loss of public trust. 

Critical assets — Those assets that are essential to meeting the 
mission objectives. Security systems are intended to ensure 
that the mission continues to be performed despite malevolent 
intervention by humans. Identification of the critical assets is 
necessary before designing, evaluating, or upgrading a security 
system for their protection. 

Defeat method — See Adversary tactic. 

Delay — A feature that impedes an adversary’s progress. 


Security Risk Assessment and Management: A Professional Practice Guide for Protecting Buildings and Infrastructures 
B. E. Biringer, R. V. Matalucci and S. L. O’Connor © 2007 John Wiley & Sons, Inc. ISBN: 978-0-471-79352-6 


347 


348 GLOSSARY 


Design threat — The threat against which the security system 
upgrade will be designed to be effective. Constraints on resources 
may result in the design threat being less than the maximum 
credible threat to the facility. Availability of additional resources 
for security upgrades at a later time might enable a more severe 
design threat to be adopted. The design threat describes the 
number of adversaries, their modus operandi, the type of tools 
and weapons they would use, and the type of events or acts they 
are willing to commit. 

Detection — The sensing, reporting, and assessment of an adver- 
sary action. 

Domestic terrorist — An individual or group based and operating 
entirely within the United States and Puerto Rico without foreign 
direction and whose acts are directed at elements of the U.S. 
government or population. 

Fault Tree — A graphic, logical representation of the relationship 
among the mission objectives of the facility and the critical 
assets that support the objectives. A fault tree is built from 
the adversary’s point of view, describing events that cause the 
facility to fail to meet its objectives by misusing, disabling, or 
destroying critical assets. 

Intelligence — Information and knowledge obtained through obser- 
vation, investigation, analysis, or understanding. The security 
system needs intelligence about adversaries. Adversaries need 
intelligence about the security system. 

International terrorist — A person or group of persons who com- 
mit an unlawful use of force or violence against two or more 
nations to intimidate or coerce a government, the civilian pop- 
ulation, or any segment thereof, in furtherance of political or 
social objectives. 

Path — Route taken by an adversary from off-site through areas 
and path elements to reach the target and, optionally, to return 
off-site. A path is part of a scenario. 


Glossary 349 


Professional expertise/judgment — The knowledge accumulated 
by trained, experienced personnel employed by the owner/opera- 
tor of the facility being assessed, especially the knowledge pos- 
sessed by on-site personnel. 

Protection system — Physical security and cyber-security mea- 
sures used to counter mission threats and consequences. 

Response — Interruption and neutralization of the adversary by 
security police. 

Risk — A measure of the uncertainty of achieving a goal or fulfilling 
a mission. 

Risk is quantified by the following equation: 


PaxCx(1—-Pr)=R 
where: 


Px = Likelihood of attack 
C = Consequence of the loss from the attack 
Pr = Security system effectiveness against the attack 
(1 — Pg) = Security system ineffectiveness 


R = Risk associated with adversary attack 


Sabotage — Whoever, with intent that his or her act shall, or with 
reason to believe that it may, injure, interfere with, interrupt, 
supplant, nullify, impair, or obstruct the owner’s or opera- 
tor’s management, operation, or control of any agricultural, 
stock-raising, lumbering, mining, quarrying, fishing, manufac- 
turing, transportation, mercantile, or building enterprise, or 
any other public or private business or commercial enterprise, 
wherein any person is employed for wage, shall willfully dam- 
age or destroy, or attempt or threaten to damage or destroy, 
any property whatsoever, or shall unlawfully take or retain, or 


350 GLOSSARY 


attempt or threaten unlawfully to take or retain, possession or 
control of any property, instrumentality, machine, mechanism, 
or appliance used in such business or enterprise, shall be guilty 
of criminal sabotage. 

Scenario — Outline of events along a specific path by which the 
adversary plans to achieve his objective. 

Scenario, most-vulnerable — The (adversary) scenario that tak- 
es the greatest advantage of the vulnerabilities of the security 
system. 

Target- A point, object, or goal at which something else is 
directed. A critical asset to be affected (i.e., misused, disabled, or 
destroyed) by an action of an adversary. 

Terrorism — The unlawful use of force or violence against persons 
of property to intimidate or coerce a government, the civilian 
population, or any segment thereof, in furtherance of political or 
social objectives. 

Terrorist — An adversary who uses violence, terror, and intimida- 
tion to achieve a result. 

Terrorist group — A collection of adversaries, commonly working 
in small, well-organized groups or cells that repeatedly commits 
acts of violence or threatens violence in pursuit of its political, 
religious, or ideological objectives. 

Threat — Anything that can disrupt the mission of the facility. A 
facility may face several malevolent threats to its mission. The 
many varieties of adversaries fall into three classes: insiders, 
outsiders, and outsiders working in collusion with insiders. 

Threat assessment — A systematic evaluation of the threat that 
identifies and describes the adversaries a facility may face in the 
future together with an estimate of the likelihood that an attack 
will occur. 


Glossary 351 


Threat, site-specific — The spectrum of threats to the site being 
assessed; a subset of the generic threat. The site-specific threat 
may be common to several sites within a geographical area. 

Vulnerability — A weakness or gap in the protection system. 


Index 


Acronym list, 345-346 
Adversary capability, 56 


collusion, 56 

equipment, 56, 57 

expected number in group, 56, 57 

explosives, 57, 58 

financial resources, 57, 58 

intelligence gathering means, 56, 57 

motivation, 56, 57 

potential for collusion with insider, 57, 
58 

tactics, 56, 57 

targets of interest, 56, 57 

technical skills/knowledge, 57, 58 

transportation, 56, 57 

weapons, 56, 58 


Adversary sequence diagrams (ASDs), 90, 


91, 132, 154, 308 
adjacent physical areas, 92 
adversary paths, 91 
jump feature, 306-307 
path elements, 94, 304 
physical areas, 304 
protection layers. 92 
protection system features, 304 
contraband detection, 95 
delay features, 94 
detection features, 94 
detection (with assessment), 94 
entry control, 94 
sabotage analysis, 93-94 
system features, 92 
theft analysis, 94 


Adversary spectrum, 53 


hypothetical adversary spectrum 
summary, 59—61 


Adversary strategies, 88 


critical assets for strategies, 90 
most-vulnerable scenario, 96 


critical asset, 96 
path elements, 96 
PPS effectiveness, 96, 97 
functions of detection, delay, and 
response, 97 
integrated functions, 97 
undesired event, 96 
most-vulnerable strategy, 88 
Asset prioritization, 83 
prioritization matrix, 84 
threat potential (likelihood of 
attack), 84 
consequence, 84 
undesired events, 84 
Audit, 16, 38 
Authentication, 15, 37 
Authorization, 15, 38 


Collusion threat, 56 
Conditional risk, 7 
Consequence analysis, 11, 75 
consequence categories, 12, 
consequence definitions, 12, 76 
consequence severity level, 12 
criteria, 76 
estimating consequences for undesired 
events, 77—80 
reference table of consequences, 75 
Consequence of successful adversary 
attack, 7 
Contingency protection system 
upgrade, 173 
Critical assets, 40, 42 
Critical infrastructure, 4 
Cyber protection system, 37, 87 
audit function, 38, 109, 115 
intrusion detection system, 112 
monitors for access control, 112 
review of traffic data, 112 


Security Risk Assessment and Management: A Professional Practice Guide for Protecting Buildings and Infrastructures 
B. E. Biringer, R. V. Matalucci and S. L. O’Connor © 2007 John Wiley & Sons, Inc. ISBN: 978-0-471-79352-6 


353 


354 


scanners, 112 

virus protection, 112 
authentication function, 37, 109, 115 

biometric authentication, 111 

encryption techniques, 110 

passwords (weak and strong), 110, 

115 

smart cards or tokens, 110 

two-factor authentication, 110 
authorization function, 38, 109, 111, 

115 


Cyber-protection system effectiveness, 88, 


106, 113, 115 
assessment, 107 
availability, 106 
confidentiality, 106 
critical asset, 114 
cyber-path diagram, 107 
access points, 107 
electronic links, 107 
exterior electronic boundary, 107 
functions, 108 (see also Cyber-protection 
system) 
audit, 38, 109, 115 
authentication, 37, 109, 115 
authorization, 38, 109, 111, 115 
integration of, 113, 115 
integrity, 106 
vulnerabilities, 112, 114 
access control monitoring, 113 
introduction of malicious code, 112 
patches, 112 
site-specific, 114 


Demonstration of the security risk 


assessment and management 
process, 189 
blast effects analysis, 265—269 
building fault tree, 208—212 
consequence definitions, 229 
consequences, 228, 230—239 
critical assets, 207, 209, 213—214 
cyber protection system 
effectiveness, 259—265 
example building, 197 
facility characterization, 195 
impact analysis, 286—288 
insider threat severity, 227 
management decisions, 296—297 
physical protection system 
analysis, 246-2579 


INDEX 


presentation package (to 
management), 289-295 
prioritization analysis, 239-244 
risk estimates, 271-273 
risk reduction, 273—285 
consequence mitigation 
upgrades, 282—284 
cyber protection upgrades, 281—282 
physical protection 
upgrades, 274—281 
screening, 192 
threat, 215, 217 (table) 
threat potential/likelihood of 
attack, 215, 219-226 
undesired events, 207 
Design threat, 173 
Detection, 14 
Delay, 14, 95 
DHS, 51 


Effective protection system, 14 
cyber system, characteristics of, 15 
physical system, characteristics of, 14 
relation to system ineffectiveness, 13 
vulnerabilities, 13 
Effectiveness analysis complex protection 
systems, 100, 309 
area traversal times, 311 
completed example, 315-327 
effectiveness factors, 310 
instructions, 309-315 
qualitative estimate, 100 
response effectiveness, 312-313 
system features for buildings, 315 
Effectiveness analysis simple protection 
systems, 99 
inspection, 99 


Facility characterization, 9, 31 
critical assets, 9, 31 
cyber system description, 9 
mission of building, 9 
physical description, 9, 31 
protection objectives, 9, 31 
security concerns, 9 
undesired events, 9, 31, 32 

Facility description, 33 
cybersystem, 33, 34 
facility operations, 33, 34 
physical details, 33 
restrictions, requirements, 

limitations, 33 


Index 355 


safety protection systems, 33 
security protection systems, 33, 35 
workforce description, 33 


Fault tree, 297 


analysis, 297 
‘AND’ gate, 40, 41 
completeness, 297 
Fault Tree Handbook, 42 
gate symbols, 299 
intermediate events, 298 
miscellaneous symbols, 300 
‘OR gate, 40, 41 
primary events, 298 
basic events, 298 
developed event, 298 
external event, 298 
symbols, 298—299 
undeveloped event, 298 
site-specific, 43 
top event, 297, 298 
transfer operation, 41 


Fault tree for buildings (generic), 40, 297, 


300 

compromise health and safety of 
occupants, 301 

compromise structural integrity of 
building, 301 

disable/misuse emergency systems, 
302 

disable/misuse HVAC, 302 

disable/misuse information system, 302 

disable/misuse physical utilities, 301 

disrupt normal work operations, 300 

disruption of building mission, 300 


FBI, 53 
Final report, 166-171 


Consequence analysis, 166, 168 

executive summary, 166, 167 

impact analysis, 167, 170 

introduction, 166, 167 

report overview, 171 

risk estimation, 167, 169 

risk reduction strategies and 
packages, 167, 170 

supporting documentation, 167, 171 

system effectiveness assessment, 166, 
169 

threat analysis, 166, 168 


Homeland Security Advisories and 
Homeland Security Information 
Bulletins, 52 


IFIP, 5,51 
Impact analyses, 165 
Information protection, 19 
Insider threat, 54, 55, 69, 329 
background check, 337 
collusion, 56 
definition, 333 
detection of malevolent actions, 340 
detection of misuse or unauthorized 
activity, 340 
deterrence, 338 
employment positions, 334 
entry/exit control for the insider, 340 
gaps in protection, 341, 342, 343 
insider access, 336 
insider advantages, 334 
insider authority, 336 
insider knowledge, 336 
insider motivations, 334 
insider threat spectrum, 334 
integrated protection system to 
mitigate, 329, 330 
integration of effective security 
features, 339 
legal and political issues, 329 
logic tree, 332 
‘AND’ gate, 332 
‘OR gate, 332 
transfer operation, 332 
minimization of opportunity for 
malevolent acts, 339 
operations security, role of, 341 
personnel screening, 70, 
for high-risk positions, 339 
pre-employment screening, 337 
proper response to malevolent acts, 341 
protection features for, 336 
protection goal, 338 
protection system upgrades, 343 
security awareness role, 338 
undesired events, 331 


ЈТТЕ, 51 


Likelihood of attack, 7 


Garcia, Mary Lynn, 36, 95 
Gelles, Michael G., 338 Management presentation package, 18, 
Glossary, 347-350 165 


356 


Management presentation package, 
(continued) 
briefing, 166 
risk reduction, 17 
packages, 18 
impacts, 18 
security risk estimates, 18 
threat description, 18 
Military Standard 882D, 12, 77 


National Security Threat List, 53 
Country Threat List, 53 
Issues Threat List, 53 

National Threat Center, 53 
Public Access Center Unit, 53 
Terrorist Watch and Warning Unit, 53 
Threat Monitoring Unit, 53 


Outsider threat, 54 
collusion, 56 
criminals, 54 
extremists, 54 
foreign intelligence personnel, 55 
psychotics, 55 
terrorists, 54 
threat potential estimation (likelihood 
of attack), 62 
vandals, 55 


PDD63, 5 
Personnel screening, 70 
Physical protection system, 35, 87 
detection, 35 
delay, 36 
effectiveness, 88 
response, 37 
features, 304 
contraband detection, 95 
delay features, 94 
detection features, 94 
detection (with assessment), 94 
entry control, 94 
Protection objectives, 9, 31, 44, 87 
Protection system effectiveness, 87, 90, 96, 
97 
ASD, 90, 91, 305 see also Adversary 
sequence diagrams 
detection and delay values, 90 
most-vulnerable scenario, 90, 96 
critical asset, 96 
path elements, 96 


INDEX 


PPS functions, 97 
detection, delay, and response, 97 
integrated functions, 97 
relationships of, 98 
Adversary Task Time, 98 
system effectiveness analysis, 132 
undesired event, 96 
upgraded system, for the, 154 
Protection system effectiveness 
worksheets, 309 


Reference Table of Consequences, 24, 51, 
75 
Response, 14, 37 
Restrictions, requirements, limitations, 39 
Risk assessment report, 165 
Risk assessment team, 175 
Risk decisions, 4 
Risk management, 165 
risk acceptance, 172 
risk avoidance, 171 
risk reduction, 172 
risk spreading, 172 
risk transfer,172 
Risk management decisions, 165 
Risk parameters, 7 
Risk reduction, 154 
ASDs, 154 
reducing the consequences, 154 
upgrading the protection system, 154 
Risk reduction recommendations, 165 
Risk reduction strategies, 17, 127 
combination of, 148 
comparing baseline system risk to 
upgraded system risk, 156 
“deterrence,” 127 
impacts of, 153 
building- or facility-specific, 153 
strategies to mitigate 
consequences, 132, 134 
construction hardening, 133 
alternate strategies, plans, 137 
barriers, rigid and 
energy-absorbing 
(frangible), 134 
blast design basis threat, 133 
blast effects, 133 
building structural members, 134 
characteristics, shape, 
energy-release efficiency, and 
quantity of explosive 
material, 138 


computer calculations, 137 
computer simulation 
ZAPOTEC, 138 
controlling vehicle access, 137 
distance of explosive from 
target, 138 
explosive blast effects, generic 
table of (ATF), 139 
finite-element-based computer 
simulation, 138 
graphs of blast-effect curves, 
139 
hydrodynamic code CTH, 138 
mode of building failure, 135 
obstructions, 134 
orientation, 134 
preliminary structural 
analysis, 136 
protection from explosive 
attack, 136 
single points of failure, 135 
site features, 134 
standoff distance, 137 
structural dynamics code 
PRONTO 3-D, 138 
technical description of structure 
under attack, 138 
effects of the consequence reduction 
features, 155 
emergency planning, 133, 145 
early warning systems, 145 
emergency action plans, 145 
evacuation from premises, 145 
first responders, 147 
law enforcement tactics, 146 
local support agreements, 147 
temporary security response 
force, 146 
optimized recovery, 133, 134, 143 
backup and alternative 
projects, 143 
customer agreements, 144 
supervisory control and data 
acquisition (SCADA) 
function, 143 
redundancy, 133, 141 
backup systems, 141 
inventory and stockpile 
planning, 141 
support agreements, 142 
Reference Table of 
Consequences, 155 


Index 357 


strategies to increase protection system 
effectiveness, 129 
authentication, authorization, audit 
function upgrades and 
integration, 129 
cyber protection system upgrade 
features, 131 
cyber-protection system 
upgrades, 129 
detection, delay, response function 
upgrades and integration, 129 
physical protection system upgrade 
features, 130 
physical protection system 
upgrades, 129 
strategies to reduce security risk, 127 
Risk reduction upgrade packages, 17 
comparison of relative costs associated 
with upgrade packages, 158 
costs, 157 
impact analysis, 18, 157 
impact on operations or schedules, 159 
impact on public opinion, 160 
relation to site-specific 
vulnerabilities, 17 
site-specific concerns, 160 


Sabotage analysis, 306 
Sandia National Laboratories, 5, 52 
SCADA, 37 
Screening analysis, 23 
consequence criteria, 24 
consequence parameter, 24 
consequence categories, 24 
levels of consequence, 24 
Reference Table of Consequences, 24, 
75 
Security risk, 8 
assessment and management process 
analysis of impacts imposed by risk 
reduction upgrade 
packages, 177, 184 
comparison of estimated risk level to 
threshold, 176, 183 
consequence analysis, 176, 180 
facility characterization, 175, 177 
presentation to management, 177, 
185 
risk estimation, 121, 127, 176, 182 
risk management decisions, 177, 185 
risk reduction strategies, 176, 183 


358 INDEX 


Security risk, (continued) 
system effectiveness 
assessment, 176, 180 
threat analysis, 175, 178 
conditional risk, 122 
equation, 8 
estimation, 16 
parameters, 121 
consequences of adversary 
success, 121, 127 
likelihood of adversary attack, 121, 
127 
system ineffectiveness, 8, 121, 127 
process, 8, 19 
security risk value, 122 
traditional risk equation, 5 
Security risk estimates, 165 
Security system performance 
assessment, 16 
Site-specific fault tree, 43, 87 


Theft analysis, 308 
Threat analysis, threat potential, 
likelihood of adversary attack, 10, 49, 
161 
adversary capability, 11 
adversary history/intent, 11 
design threat, 161 
factors 
adversary capability, 63, 64 
adversary intent/history, 63, 65 
relative attractiveness of asset to 
adversary, 63, 65 


process, 50 
project-specific threat, 161 
relative attractiveness of asset to 
adversary, 11 
revised threat, 161 
sources of information, 50 
local and state sources, 51 
national sources, 52 
threat definition, 10 
threat description, 10, 87, 165 
threat potential for attack, 58 
initiating event,/safety studies, 58 
estimating, 62—69 
Threat Assessment, A Risk Management 
Approach, 338 
Turner, James T., 338 


US Treasury Bureau of Alcohol, Tobacco 
and Firearms (ATF), 139 


Vulnerabilities, 104, 114 
cyber, 130 
physical, 130 
specific, 13, 87, 104, 114, 130, 154 
Vulnerability Assessment of Physical 
Protection Systems, 36, 95 


Workforce description, 38 
positions, 39 
pre-employment background 

investigations, 39, 70 


